Commit graph

11076 commits

Author SHA1 Message Date
Alejandro Baez 7d68d7eaa6
Add PolicyReadByName for API (#6615) 2020-03-25 10:34:24 -04:00
Chris Piraino 0c5c97205f
Fix flakey health check reload test (#7490)
This test would occasionally fail because we checked for a status of
"critical" initially. This races with the actual healthcheck being run
and declared passing.

We instead use a ttl health check so that we don't rely on timing at all.
2020-03-25 09:09:13 -05:00
Iryna Shustava 6865d63df1
Add missing Helm docs (#7492) 2020-03-24 16:06:57 -07:00
Daniel Nephin 3b0696565d
Merge pull request #7481 from hashicorp/dnephin/go1.14
ci: Upgrade Go to 1.14.1
2020-03-24 16:23:53 -04:00
Daniel Nephin 8fa1388ba3
Merge pull request #7440 from hashicorp/dnephin/golangci-lint
ci: Use golangci-lint for linting
2020-03-24 16:00:59 -04:00
Daniel Nephin e3b4cd9b90 ci: Upgrade Go to 1.14.1 2020-03-24 15:55:47 -04:00
Daniel Nephin ce85bcfba0
Merge pull request #7482 from hashicorp/dnephin/fix-cherry-pick-job
ci: fix cherry-pick job by using newer git
2020-03-24 14:12:21 -04:00
Daniel Nephin 30b29f3517
Merge pull request #7484 from hashicorp/dnephin/fix-envoy-tests
Fix tests failing on master
2020-03-23 17:15:49 -04:00
Daniel Nephin 1eab9e06f0 Fix tests failing on master
The default version was changed in https://github.com/hashicorp/consul/pull/7452
which caused these tests to fail.
2020-03-23 16:38:14 -04:00
Daniel Nephin 8e0df141ff ci: fix cherry-pick job by using newer git
37897bfc27 made it possible to use
the -m flag with cherry-pick, even when the target is not a merge commit.

This commit changes the image used to run the cherry-pick job to alpine so that we get
a more recent version of git.

The alpine image will also download much faster when the CI node does not have the image cached.
2020-03-23 14:30:32 -04:00
kaitlincarter-hc a0839f8360
Add link to Learn to the top, move service mesh higher up on list of features. (#7474) 2020-03-23 12:10:42 -05:00
Daniel Nephin b347fab6f7
Merge pull request #7466 from hashicorp/dnephin/support-cherry-pick-merge-PRs
ci: support cherry-picking of merge PRs
2020-03-18 13:12:42 -04:00
Daniel Nephin f91ab0ccb7 ci: support cherry-picking of merge PRs
This change assumes that it is always safe to use the first commit
parent as the mainline. I believe this assumption is safe with a
github merge workflow.
2020-03-18 12:38:04 -04:00
Daniel Nephin 221aaa9651
Merge pull request #7458 from hashicorp/dnephin/small-doc-improvements
website/docs: small doc improvements to CLI reference
2020-03-17 18:35:44 -04:00
Hans Hasselberg 92a9bf1e13
envoy: default to 1.13.1 (#7452) 2020-03-17 22:23:42 +01:00
Kim Ngo 5f21b33e29
Update CHANGELOG.md 2020-03-17 15:02:56 -05:00
Hans Hasselberg 672db9bef6
docs: fix filenames (#7453) 2020-03-17 21:00:45 +01:00
Kim Ngo 9e8eb7896f
agent/xds: Update mesh gateway to use service router timeout (#7444)
* website/connect/proxy/envoy: specify timeout precedence for services behind mesh gateway
2020-03-17 14:50:14 -05:00
Daniel Nephin 4d485649d1 ci: Use golangci-lint for linting
Using golangci-lint has a number of advantages:

- adding new linters becomes much easier, its a couple lines of yaml config
  instead of more bash scripting

- it enables whitelisting of issues using inline comments or regex

- when running multiple linters less work is done. The parsed source can be reused
  by multiple linters

- linters are run in parallel to reduce CI runtime.
2020-03-17 13:43:40 -04:00
Chris Piraino 6f84d27bf1
Update CHANGELOG.md 2020-03-17 09:56:20 -05:00
Chris Piraino f13d6ca812
Log "vew version available" message at info level (#7462) 2020-03-17 09:53:15 -05:00
Pierre Souchay 48c5785f43
docs: fixed typo on MIME in Changelog (#7461) 2020-03-17 13:44:55 +01:00
Daniel Nephin 02fe105ac0 website/docs: small doc improvements to CLI reference
Small improvements to the join docs.

The help text for `lock` says -try is deprecated and replaced with -timeout.
Update the docs to match.
2020-03-16 17:54:45 -04:00
Hans Hasselberg 99d6d0d7a4
Update CHANGELOG.md to include 1.7.2 2020-03-16 22:08:40 +01:00
Hans Hasselberg 90a234d242
docs: update website version (#7456) 2020-03-16 22:03:36 +01:00
Matt Keeler ca96930283
Don’t pass -u to get get inside Go build image dockerfile (#7455) 2020-03-16 15:26:07 -04:00
Matt Keeler af8dddfbfd
Update CHANGELOG.md 2020-03-16 12:59:28 -04:00
Matt Keeler 58e2969fc1
Fix ACL mode advertisement and detection (#7451)
These changes are necessary to ensure advertisement happens correctly even when datacenters are connected via network areas in Consul enterprise.

This also changes how we check if ACLs can be upgraded within the local datacenter. Previously we would iterate through all LAN members. Now we just use the ServerLookup type to iterate through all known servers in the DC.
2020-03-16 12:54:45 -04:00
Matt Keeler ef944f6c3d
Update namespace docs for some new CLI commands (#7435)
Co-Authored-By: Hans Hasselberg <me@hans.io>
2020-03-16 09:42:39 -04:00
Charlie Jones 0fc91ca047
docs: fix typo in consul-template tutorial (#7454) 2020-03-16 14:04:28 +01:00
Daniel Nephin c4f9f8e8aa
Merge pull request #7438 from hashicorp/dnephin/remove-restore-cache
ci: Remove consul-modcache-v1 from ci config
2020-03-13 12:07:39 -04:00
Freddy e5ba744634
Update CHANGELOG.md 2020-03-12 12:41:41 -06:00
John Cowen 621e7bb11a
Update CHANGELOG.md 2020-03-12 18:31:51 +00:00
Alvin Huang 3e0ecc096c
cherry pick 'docs-cherrypick' label rather than 'docs' to stable-website (#7443) 2020-03-12 13:22:51 -04:00
Daniel Nephin ebe622b4a3 ci: Remove restore_cache
As of go1.13 it is faster to download dependencies from the module
proxy service, than to download a cached /go/pkg/mod
2020-03-11 15:50:42 -04:00
Freddy 8a7ff69b19
Update MSP token and filtering (#7431) 2020-03-11 12:08:49 -06:00
Alvin Huang 2622f2644a
add Authorization header in GitHub API call (#7436) 2020-03-11 13:25:15 -04:00
Hans Hasselberg 6a55f70fa6
tls: remove old ciphers (#7282)
Following advice from:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices, this PR removes old ciphers.
2020-03-10 21:44:26 +01:00
R.B. Boyer 7315147313 update changelog 2020-03-10 14:47:13 -05:00
R.B. Boyer bfd7424e0d
bump the expected go language version of the main module to 1.13 (#7429) 2020-03-10 14:46:09 -05:00
Alvin Huang bd951c7023
set pr_url outside if (#7424) 2020-03-10 12:31:58 -04:00
R.B. Boyer edea0432db update changelog 2020-03-10 11:20:30 -05:00
R.B. Boyer 10d3ff9a4f
server: strip local ACL tokens from RPCs during forwarding if crossing datacenters (#7419)
Fixes #7414
2020-03-10 11:15:22 -05:00
R.B. Boyer e142934a9c
fix flaky TestCatalogListNodesCommand_verticalBar test (#7422) 2020-03-10 11:01:13 -05:00
Matt Keeler eb44ea335c
Update intention precedence table in the docs (#7421)
* Update intention precedence table in the docs

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>
2020-03-10 11:49:08 -04:00
Alvin Huang 740bee5928
add slack notifications for cherry-pick (#7423) 2020-03-10 11:47:23 -04:00
Hans Hasselberg f49144fcee
connect: support for envoy 1.13.1 and 1.12.3 (#7380)
* setup new envoy versions for CI
* bump version on the website too.
2020-03-10 11:04:46 +01:00
Kyle Havlovitz 520d464c85
Merge pull request #7373 from hashicorp/acl-segments-fix
Add stub methods for ACL/segment bug fix from enterprise
2020-03-09 14:25:49 -07:00
R.B. Boyer 3ca1216876 update changelog 2020-03-09 16:00:59 -05:00
R.B. Boyer a7fb26f50f
wan federation via mesh gateways (#6884)
This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch:

There are several distinct chunks of code that are affected:

* new flags and config options for the server

* retry join WAN is slightly different

* retry join code is shared to discover primary mesh gateways from secondary datacenters

* because retry join logic runs in the *agent* and the results of that
  operation for primary mesh gateways are needed in the *server* there are
  some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur
  at multiple layers of abstraction just to pass the data down to the right
  layer.

* new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers

* the function signature for RPC dialing picked up a new required field (the
  node name of the destination)

* several new RPCs for manipulating a FederationState object:
  `FederationState:{Apply,Get,List,ListMeshGateways}`

* 3 read-only internal APIs for debugging use to invoke those RPCs from curl

* raft and fsm changes to persist these FederationStates

* replication for FederationStates as they are canonically stored in the
  Primary and replicated to the Secondaries.

* a special derivative of anti-entropy that runs in secondaries to snapshot
  their local mesh gateway `CheckServiceNodes` and sync them into their upstream
  FederationState in the primary (this works in conjunction with the
  replication to distribute addresses for all mesh gateways in all DCs to all
  other DCs)

* a "gateway locator" convenience object to make use of this data to choose
  the addresses of gateways to use for any given RPC or gossip operation to a
  remote DC. This gets data from the "retry join" logic in the agent and also
  directly calls into the FSM.

* RPC (`:8300`) on the server sniffs the first byte of a new connection to
  determine if it's actually doing native TLS. If so it checks the ALPN header
  for protocol determination (just like how the existing system uses the
  type-byte marker).

* 2 new kinds of protocols are exclusively decoded via this native TLS
  mechanism: one for ferrying "packet" operations (udp-like) from the gossip
  layer and one for "stream" operations (tcp-like). The packet operations
  re-use sockets (using length-prefixing) to cut down on TLS re-negotiation
  overhead.

* the server instances specially wrap the `memberlist.NetTransport` when running
  with gateway federation enabled (in a `wanfed.Transport`). The general gist is
  that if it tries to dial a node in the SAME datacenter (deduced by looking
  at the suffix of the node name) there is no change. If dialing a DIFFERENT
  datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh
  gateways to eventually end up in a server's :8300 port.

* a new flag when launching a mesh gateway via `consul connect envoy` to
  indicate that the servers are to be exposed. This sets a special service
  meta when registering the gateway into the catalog.

* `proxycfg/xds` notice this metadata blob to activate additional watches for
  the FederationState objects as well as the location of all of the consul
  servers in that datacenter.

* `xds:` if the extra metadata is in place additional clusters are defined in a
  DC to bulk sink all traffic to another DC's gateways. For the current
  datacenter we listen on a wildcard name (`server.<dc>.consul`) that load
  balances all servers as well as one mini-cluster per node
  (`<node>.server.<dc>.consul`)

* the `consul tls cert create` command got a new flag (`-node`) to help create
  an additional SAN in certs that can be used with this flavor of federation.
2020-03-09 15:59:02 -05:00