Commit Graph

9324 Commits

Author SHA1 Message Date
John Cowen 5eb5065f70
UI: Text change and clarity Node Health > Health Checks (#5115)
Text change Node Health > Health Checks
Also adds an info icon and tooltip to Health Checks column header
2019-01-17 09:20:00 +00:00
Jihoon Chung 788bf610ae ui: Fix typo in acl-migration guide link (#5135) 2019-01-17 09:03:23 +00:00
Rebecca Zanzig 8e1e76476a
Merge pull request #5230 from hashicorp/docs/helm-formatting
Docs/helm formatting
2019-01-16 15:00:42 -08:00
Rebecca Zanzig a023a09ed0 Fix broken links 2019-01-16 14:42:12 -08:00
Rebecca Zanzig 30e4796efe Indent code blocks further to fix list formatting 2019-01-16 14:31:50 -08:00
Rebecca Zanzig e46dd7c059
Merge pull request #5222 from hashicorp/docs/helm-0.5.0
Add documentation about the two additional Helm chart options
2019-01-16 14:18:15 -08:00
Chris Wang 1143878455 Fix typo in k8s connect documentation (#5229) 2019-01-16 17:03:40 -05:00
kaitlincarter-hc 7e8553ba4a
Update links for learn migration (#5223)
* Stared updaing links for the learn migration

* Language change cluster -> datacenter (#5212)

* Updating the language from cluster to datacenter in the backup guide to be consistent and more accurate.

* missed some clusters

* updated three broken links for the sidebar nav
2019-01-15 14:57:17 -06:00
Hans Hasselberg 2f67d84cfd
Sorting entries in Changelog for upcoming release 2019-01-15 10:54:03 +01:00
Rebecca Zanzig b221d239e3
Merge pull request #5213 from hashicorp/docs/helm-security
Add a security warning about the default Helm chart installation
2019-01-14 16:28:31 -08:00
Rebecca Zanzig c085f005e1 Add documentation about the two additional Helm chart options
Adds info about `k8stag` and `nodePortSyncType` options that were
added in consul-helm v0.5.0.

Additionally moves the k8sprefix to match the order in the Helm chart
values file, while also clarifying that it only affects one sync
direction.
2019-01-14 16:15:26 -08:00
Rebecca Zanzig 880544dd85 Add a security warning about the default Helm chart installation
If a user installs the default Helm chart Consul on a Kubernetes
cluster that is open to the internet, it is lacking some important
security configurations.
2019-01-14 15:59:27 -08:00
kaitlincarter-hc 737143418d
Language change cluster -> datacenter (#5212)
* Updating the language from cluster to datacenter in the backup guide to be consistent and more accurate.

* missed some clusters
2019-01-14 10:46:34 -06:00
Matt Keeler e357e33d76
Update CHANGELOG.md 2019-01-11 16:06:17 -05:00
Matt Keeler 2f6a9edfac
Store leaf cert indexes in raft and use for the ModifyIndex on the returned certs (#5211)
* Store leaf cert indexes in raft and use for the ModifyIndex on the returned certs

This ensures that future certificate signings will have a strictly greater ModifyIndex than any previous certs signed.
2019-01-11 16:04:57 -05:00
Matt Keeler 3547b7eeb5
Update CHANGELOG.md 2019-01-11 09:31:49 -05:00
Aestek ff13518961 Improve blocking queries on services that do not exist (#4810)
## Background

When making a blocking query on a missing service (was never registered, or is not registered anymore) the query returns as soon as any service is updated.
On clusters with frequent updates (5~10 updates/s in our DCs) these queries virtually do not block, and clients with no protections againt this waste ressources on the agent and server side. Clients that do protect against this get updates later than they should because of the backoff time they implement between requests.

## Implementation

While reducing the number of unnecessary updates we still want :
* Clients to be notified as soon as when the last instance of a service disapears.
* Clients to be notified whenever there's there is an update for the service.
* Clients to be notified as soon as the first instance of the requested service is added.

To reduce the number of unnecessary updates we need to block when a request to a missing service is made. However in the following case :

1. Client `client1` makes a query for service `foo`, gets back a node and X-Consul-Index 42
2. `foo` is unregistered 
3. `client1`  makes a query for `foo` with `index=42` -> `foo` does not exist, the query blocks and `client1` is not notified of the change on `foo` 

We could store the last raft index when each service was last alive to know wether we should block on the incoming query or not, but that list could grow indefinetly. 
We instead store the last raft index when a service was unregistered and use it when a query targets a service that does not exist. 
When a service `srv` is unregistered this "missing service index" is always greater than any X-Consul-Index held by the clients while `srv` was up, allowing us to immediatly notify them.

1. Client `client1` makes a query for service `foo`, gets back a node and `X-Consul-Index: 42`
2. `foo` is unregistered, we set the "missing service index" to 43 
3. `client1` makes a blocking query for `foo` with `index=42` -> `foo` does not exist, we check against the "missing service index" and return immediatly with `X-Consul-Index: 43`
4. `client1` makes a blocking query for `foo` with `index=43` -> we block
5. Other changes happen in the cluster, but foo still doesn't exist and "missing service index" hasn't changed, the query is still blocked
6. `foo` is registered again on index 62 -> `foo` exists and its index is greater than 43, we unblock the query
2019-01-11 09:26:14 -05:00
R.B. Boyer 3c52de46de
website: minor acl guide fixes (#5214) 2019-01-10 14:17:20 -06:00
Elghazal Ahmed d7c4b5fe2a website: add autowire in Community Tools list (#5118)
* add autowire in Community Tools list

* put list in the right alphabetic order
2019-01-10 12:27:55 -06:00
Hans Hasselberg 85f227f333
Update CHANGELOG.md 2019-01-10 17:44:40 +01:00
Hans Hasselberg c321eadf57
Update CHANGELOG.md 2019-01-10 17:43:31 +01:00
Matt Keeler 938707d73f
Update CHANGELOG.md 2019-01-10 11:25:01 -05:00
Matt Keeler 340d20c964
cache: Pass through wait query param to the cache.Get (#5203)
This adds a MaxQueryTime field to the connect ca leaf cache request type and populates it via the wait query param. The cache will then do the right thing and timeout the operation as expected if no new leaf cert is available within that time.

Fixes #4462 

The reproduction scenario in the original issue now times out appropriately.
2019-01-10 11:23:37 -05:00
Matt Keeler 5e2013cc54
Update CHANGELOG.md 2019-01-10 10:51:16 -05:00
Pierre Souchay 8dd3476921 Allow `"disable_host_node_id": false` to work on Linux as non-root. (#4926)
Bump `shirou/gopsutil` to include https://github.com/shirou/gopsutil/pull/603

This will allow to have consistent node-id even when machine is reinstalled
when using `"disable_host_node_id": false`

It will fix https://github.com/hashicorp/consul/issues/4914 and allow having
the same node-id even when reinstalling a node from scratch. However,
it is only compatible with a single OS (installing to Windows will change
the node-id, but it seems acceptable).
2019-01-10 10:50:14 -05:00
Matt Keeler 3b8bdf0f62
Update CHANGELOG.md 2019-01-10 09:29:51 -05:00
Aestek 154c41e165 [Security] Allow blocking Write endpoints on Agent using Network Addresses (#4719)
* Add -write-allowed-nets option

* Add documentation for the new write_allowed_nets option
2019-01-10 09:27:26 -05:00
Matt Keeler 29b4512120
acl: Prevent tokens from deleting themselves (#5210)
Fixes #4897 

Also apparently token deletion could segfault in secondary DCs when attempting to delete non-existant tokens. For that reason both checks are wrapped within the non-nil check.
2019-01-10 09:22:51 -05:00
Paul Banks cc14db1c26
Update CHANGELOG.md 2019-01-10 12:50:31 +00:00
Paul Banks d4ae9d8e46
Update CHANGELOG.md 2019-01-10 12:47:59 +00:00
Paul Banks c4fa66b4c9
connect: agent leaf cert caching improvements (#5091)
* Add State storage and LastResult argument into Cache so that cache.Types can safely store additional data that is eventually expired.

* New Leaf cache type working and basic tests passing. TODO: more extensive testing for the Root change jitter across blocking requests, test concurrent fetches for different leaves interact nicely with rootsWatcher.

* Add multi-client and delayed rotation tests.

* Typos and cleanup error handling in roots watch

* Add comment about how the FetchResult can be used and change ca leaf state to use a non-pointer state.

* Plumb test override of root CA jitter through TestAgent so that tests are deterministic again!

* Fix failing config test
2019-01-10 12:46:11 +00:00
kaitlincarter-hc 2e972b46c6
Re-worked the ACL guide into two docs and an updated guide. (#5093)
* Re-worked the ACL guide into two docs and an updated guide.

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Updating syntax based on amayer5125's comments.

* Missed one of amayer5125's comments

* found a bad link in the acl system docs

* fixing a link in the rules docs
2019-01-09 15:07:20 -06:00
Matt Keeler 021138c923
Update CHANGELOG.md 2019-01-08 11:44:36 -05:00
dawxy f4288baafe Fix data race (#5029)
Fix #4357
2019-01-08 11:43:14 -05:00
Hans Hasselberg 092907077d
connect: add tls config for vault connect ca provider (#5125)
* add tlsconfig for vault connect ca provider.
* add options to the docs
* add tests for new configuration
2019-01-08 17:09:22 +01:00
Hans Hasselberg 08502cfa61
snapshot: read meta.json correctly. (#5193)
* snapshot: read meta.json correctly.

Fixes #4452.
2019-01-08 17:06:28 +01:00
Alejandro Guirao Rodríguez 7b1bd33add agent/config: Fix typo in comment (#5202) 2019-01-08 16:27:22 +01:00
Paul Banks 5105c46b92
Update CHANGELOG.md 2019-01-08 10:16:34 +00:00
Paul Banks fcdb5b3494
agent: add default weights to service in local state to prevent AE churn (#5126)
* Add default weights when adding a service with no weights to local state to prevent constant AE re-sync.

This fix was contributed by @42wim in https://github.com/hashicorp/consul/pull/5096 but was merged against the wrong base. This adds it to master and adds a test to cover the behaviour.

* Fix tests that broke due to comparing internal state which now has default weights
2019-01-08 10:13:49 +00:00
Paul Banks 99e20e2d9e
Update CHANGELOG.md 2019-01-08 10:09:03 +00:00
Paul Banks 1bf3a37597
agent: Don't leave old errors around in cache (#5094)
* Fixes #4480. Don't leave old errors around in cache that can be hit in specific circumstances.

* Move error reset to cover extreme edge case of nil Value, nil err Fetch
2019-01-08 10:06:38 +00:00
Jack Pearkes 5b31ec33db
website: fixed ca provider references (#5185)
Fixes https://github.com/hashicorp/consul/issues/5182.
2019-01-07 18:47:02 -08:00
Matt Keeler f2456d1b02
Update CHANGELOG.md 2019-01-07 16:55:14 -05:00
Pierre Souchay 5b8a7d7127 Avoid to have infinite recursion in DNS lookups when resolving CNAMEs (#4918)
* Avoid to have infinite recursion in DNS lookups when resolving CNAMEs

This will avoid killing Consul when a Service.Address is using CNAME
to a Consul CNAME that creates an infinite recursion.

This will fix https://github.com/hashicorp/consul/issues/4907

* Use maxRecursionLevel = 3 to allow several recursions
2019-01-07 16:53:54 -05:00
Paul Banks 339dc78456
Update CHANGELOG.md 2019-01-07 21:32:20 +00:00
Paul Banks 0962e95e85
bugfix: use ServiceTags to generate cache key hash (#4987)
* bugfix: use ServiceTags to generate cahce key hash

* update unit test

* update

* remote print log

* Update .gitignore

* Completely deprecate ServiceTag field internally for clarity

* Add explicit test for CacheInfo cases
2019-01-07 21:30:47 +00:00
R.B. Boyer f5e7709dd7 Update CHANGELOG.md 2019-01-07 15:05:06 -06:00
R.B. Boyer 7f30950060
update github.com/hashicorp/{serf,memberlist,go-sockaddr} (#5189)
This activates large-cluster improvements in the gossip layer from
https://github.com/hashicorp/memberlist/pull/167
2019-01-07 15:00:47 -06:00
Matt Keeler e90a846128
Update CHANGELOG.md 2019-01-07 13:56:08 -05:00
Aestek eba1dd7856 Prevent status flap when re-registering a check (#4904)
Fixes point `#2` of: https://github.com/hashicorp/consul/issues/4903

When registering a service each healthcheck status is saved and restored (https://github.com/hashicorp/consul/blob/master/agent/agent.go#L1914) to avoid unnecessary flaps in health state.
This change extends this feature to single check registration by moving this protection in `AddCheck()` so that both `PUT /v1/agent/service/register` and `PUT /v1/agent/check/register` behave in the same idempotent way.

#### Steps to reproduce
1. Register a check :
```
curl -X PUT \
  http://127.0.0.1:8500/v1/agent/check/register \
  -H 'Content-Type: application/json' \
  -d '{
  "Name": "my_check",
  "ServiceID": "srv",
  "Interval": "10s",
  "Args": ["true"]
}'
```
2. The check will initialize and change to `passing`
3. Run the same request again
4. The check status will quickly go from `critical` to `passing` (the delay for this transission is determined by https://github.com/hashicorp/consul/blob/master/agent/checks/check.go#L95)
2019-01-07 13:53:03 -05:00