Commit Graph

147 Commits

Author SHA1 Message Date
Matt Keeler 0c76a4389f
ACL Token Persistence and Reloading (#5328)
This PR adds two features which will be useful for operators when ACLs are in use.

1. Tokens set in configuration files are now reloadable.
2. If `acl.enable_token_persistence` is set to `true` in the configuration, tokens set via the `v1/agent/token` endpoint are now persisted to disk and loaded when the agent starts (or during configuration reload)

Note that token persistence is opt-in so our users who do not want tokens on the local disk will see no change.

Some other secondary changes:

* Refactored a bunch of places where the replication token is retrieved from the token store. This token isn't just for replicating ACLs and now it is named accordingly.
* Allowed better paths in the `v1/agent/token/` API. Instead of paths like: `v1/agent/token/acl_replication_token` the path can now be just `v1/agent/token/replication`. The old paths remain to be valid. 
* Added a couple new API functions to set tokens via the new paths. Deprecated the old ones and pointed to the new names. The names are also generally better and don't imply that what you are setting is for ACLs but rather are setting ACL tokens. There is a minor semantic difference there especially for the replication token as again, its no longer used only for ACL token/policy replication. The new functions will detect 404s and fallback to using the older token paths when talking to pre-1.4.3 agents.
* Docs updated to reflect the API additions and to show using the new endpoints.
* Updated the ACL CLI set-agent-tokens command to use the non-deprecated APIs.
2019-02-27 14:28:31 -05:00
danielehc 6d3d18d244 Add more details on SkipNodeUpdate option (#5345)
* Add more details on SkipNodeUpdate option

* Updating the language for the entire parameter.
2019-02-26 11:00:23 -06:00
Paul Banks abc5478b51 Add common blocking implementation details to docs (#5358)
* Add common blocking implementation details to docs

These come up over and over again with blocking query loops in our own code and third-party's. #5333 is possibly a case (unconfirmed) where "badly behaved" blocking clients cause issues, however since we've never explicitly documented these things it's not reasonable for third-party clients to have guessed that they are needed!

This hopefully gives us something to point to for the future.

It's a little wordy - happy to consider breaking some of the blocking stuff out of this page if we think it's appropriate but just wanted to quickly plaster over this gap in our docs for now.

* Update index.html.md

* Apply suggestions from code review

Co-Authored-By: banks <banks@banksco.de>

* Update index.html.md

* Update index.html.md

* Clearified monotonically

* Fixing formating
2019-02-21 15:33:45 -06:00
Marlon Maxwel 22071adec8 Documentation - New plugin for frontend applications based in webpack (#5310)
* Add new plugin for front-end applications based in webpack

* Fix doc suggestion

Co-Authored-By: marlonmleite <marlonmleite@gmail.com>
2019-02-12 11:13:43 -06:00
Matt Keeler 210c3a56b0
Improve Connect with Prepared Queries (#5291)
Given a query like:

```
{
   "Name": "tagged-connect-query",
   "Service": {
      "Service": "foo",
      "Tags": ["tag"],
      "Connect": true
   }
}
```

And a Consul configuration like:

```
{
   "services": [
      "name": "foo",
      "port": 8080,
      "connect": { "sidecar_service": {} },
      "tags": ["tag"]
   ]
}
```

If you executed the query it would always turn up with 0 results. This was because the sidecar service was being created without any tags. You could instead make your config look like:

```
{
   "services": [
      "name": "foo",
      "port": 8080,
      "connect": { "sidecar_service": {
         "tags": ["tag"]
      } },
      "tags": ["tag"]
   ]
}
```

However that is a bit redundant for most cases. This PR ensures that the tags and service meta of the parent service get copied to the sidecar service. If there are any tags or service meta set in the sidecar service definition then this copying does not take place. After the changes, the query will now return the expected results.

A second change was made to prepared queries in this PR which is to allow filtering on ServiceMeta just like we allow for filtering on NodeMeta.
2019-02-04 09:36:51 -05:00
Jack Pearkes 38370278f3 fix broken link (#5273) 2019-01-25 11:40:31 -06:00
Kyle Havlovitz b0f07d9b5e
Merge pull request #4869 from hashicorp/txn-checks
Add node/service/check operations to transaction api
2019-01-22 11:16:09 -08:00
Kyle Havlovitz 70a6f5b2c0 txn: update existing txn api docs with new operations 2019-01-15 16:54:07 -08:00
Grégoire Seux 6a57c7fec5 Implement /v1/agent/health/service/<service name> endpoint (#3551)
This endpoint aggregates all checks related to <service id> on the agent
and return an appropriate http code + the string describing the worst
check.

This allows to cleanly expose service status to other component, hiding
complexity of multiple checks.
This is especially useful to use consul to feed a load balancer which
would delegate health checking to consul agent.

Exposing this endpoint on the agent is necessary to avoid a hit on
consul servers and avoid decreasing resiliency (this endpoint will work
even if there is no consul leader in the cluster).
2019-01-07 09:39:23 -05:00
Alvin Huang 7dfc32d1c4
Merge pull request #5065 from hashicorp/clarify_separator_api
clarify how `separator` should be in CLI and API
2018-12-12 12:14:19 -08:00
Jack Pearkes 965b6efaaa
website: clarify catalog registration ID behavior (#5019)
* website: clarify catalog registration ID behavior

Fixes #3769

* Update catalog.html.md
2018-12-11 11:06:18 -08:00
Jack Pearkes f2f2259cd2
website: clarify format of check IDs for sessions (#5036)
* website: clarify format of check IDs for sessions

* Update website/source/api/session.html.md

Co-Authored-By: pearkes <jackpearkes@gmail.com>
2018-12-11 09:00:52 -08:00
Alvin Huang 10c5b84a64 change depth to prefix 2018-12-07 14:57:00 -05:00
Alvin Huang 0e35b10683 clarify how `separator` should be in CLI and API 2018-12-06 10:59:43 -05:00
Jack Pearkes 5f55d8809b
website: clarify uuid format (#5014) 2018-11-29 13:23:58 -08:00
Borys Pierov 43bcfe19db Fix "Read Self Token" URL in acl/token docs (#4978) 2018-11-26 10:55:15 -08:00
Matt Keeler 26b1873b3b Adds documentation for the new ACL APIs (#4851)
* Update the ACL API docs

* Add a CreateTime to the anon token

Also require acl:read permissions at least to perform rule translation. Don’t want someone DoSing the system with an open endpoint that actually does a bit of work.

* Fix one place where I was referring to id instead of AccessorID

* Add godocs for the API package additions.

* Minor updates: removed some extra commas and updated the acl intro paragraph

* minor tweaks

* Updated the language to be clearer

* Updated the language to be clearer for policy page

* I was also confused by that! Your updates are much clearer.

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Sounds much better.

Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com>

* Updated sidebar layout and deprecated warning
2018-10-31 15:11:51 -07:00
Yoann Fouquet 347a577815 website: mention node name for "agent/force-leave" HTTP endpoint (#4542)
* Adjust documentation for agent/force-leave endpoint

A node must be specified when calling agent/force-leave.
See:
 - https://github.com/hashicorp/consul/blob/master/agent/http_oss.go#L25
 - https://github.com/hashicorp/consul/blob/master/agent/agent_endpoint.go#L323
 - https://github.com/hashicorp/consul/blob/master/agent/agent.go#L1442

However, the documentation does not specify it.
Note that Consul returns "301 Moved Permanently v1/agent/force-leave/" when sending PUT request on "v1/agent/force-leave".

* Switch from node id to node name
2018-10-24 08:20:05 -07:00
Raja Nadar ca0d89399d docs: add return info for update and delete acl-token apis (#4584)
* Update Token API returns the ID of the token updated.
 * Delete Token API returns a raw text which is true for successful deletions
2018-10-24 11:11:51 -04:00
Raja Nadar a25f307957 website: update the response json fields for sessions (#4604)
Updated the response json with the true response from Consul 1.2.2
2018-10-24 07:33:25 -07:00
Matt Keeler 99e0a124cb
New ACLs (#4791)
This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week.
Description

At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers.

On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though.

    Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though.
    All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management.
    Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are:
        A server running the new system must still support other clients using the legacy system.
        A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system.
        The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode.

So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 12:04:07 -04:00
Aestek 2e1015b3ba website: add service weights documentation in API doc (#4776)
Adds weights documentation to the following API routes :
* Agent: List Services
* Agent Register Service
* Health: List Nodes for Service
2018-10-19 08:41:03 -07:00
Kyle Havlovitz 96a35f8abc re-add Connect multi-dc config changes
This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
2018-10-19 08:41:03 -07:00
Assel Meher f2321679d6 typo: s/checks/services (#4783) 2018-10-11 18:48:51 +01:00
Jack Pearkes 847a0a5266 Revert "Connect multi-dc config" (#4784) 2018-10-11 17:32:45 +01:00
Paul Banks 94332edf2e
[WIP] Initial draft of Sidecar Service and Managed Proxy deprecation docs (#4752)
* Initial draft of Sidecar Service and Managed Proxy deprecation docs

* Service definition deprecation notices and sidecar service

* gRPC and sidecar service config options; Deprecate managed proxy options

* Envoy Docs: Basic envoy command; envoy getting started/intro

* Remove change that snuck in

* Envoy custom config example

* Add agent/service API docs; deprecate proxy config endpoint

* Misc grep cleanup for managed proxies; capitalize Envoy

* Updates to getting started guide

* Add missing link

* Refactor Envoy guide into a separate guide and add bootstrap reference notes.

* Add limitations to Envoy docs; Highlight no fixes for known managed proxy issues on deprecation page; clarify snake cae stuff; Sidecar Service lifecycle
2018-10-11 10:44:42 +01:00
Kyle Havlovitz 475afd0300 docs: deprecate acl_datacenter and replace it with primary_datacenter 2018-10-10 12:16:47 -07:00
Paul Banks 92fe8c8e89 Add Proxy Upstreams to Service Definition (#4639)
* Refactor Service Definition ProxyDestination.

This includes:
 - Refactoring all internal structs used
 - Updated tests for both deprecated and new input for:
   - Agent Services endpoint response
   - Agent Service endpoint response
   - Agent Register endpoint
     - Unmanaged deprecated field
     - Unmanaged new fields
     - Managed deprecated upstreams
     - Managed new
   - Catalog Register
     - Unmanaged deprecated field
     - Unmanaged new fields
     - Managed deprecated upstreams
     - Managed new
   - Catalog Services endpoint response
   - Catalog Node endpoint response
   - Catalog Service endpoint response
 - Updated API tests for all of the above too (both deprecated and new forms of register)

TODO:
 - config package changes for on-disk service definitions
 - proxy config endpoint
 - built-in proxy support for new fields

* Agent proxy config endpoint updated with upstreams

* Config file changes for upstreams.

* Add upstream opaque config and update all tests to ensure it works everywhere.

* Built in proxy working with new Upstreams config

* Command fixes and deprecations

* Fix key translation, upstream type defaults and a spate of other subtele bugs found with ned to end test scripts...

TODO: tests still failing on one case that needs a fix. I think it's key translation for upstreams nested in Managed proxy struct.

* Fix translated keys in API registration.
≈

* Fixes from docs
 - omit some empty undocumented fields in API
 - Bring back ServiceProxyDestination in Catalog responses to not break backwards compat - this was removed assuming it was only used internally.

* Documentation updates for Upstreams in service definition

* Fixes for tests broken by many refactors.

* Enable travis on f-connect branch in this branch too.

* Add consistent Deprecation comments to ProxyDestination uses

* Update version number on deprecation notices, and correct upstream datacenter field with explanation in docs
2018-10-10 16:55:34 +01:00
Paul Banks 5b0d4db6bc Support Agent Caching for Service Discovery Results (#4541)
* Add cache types for catalog/services and health/services and basic test that caching works

* Support non-blocking cache types with Cache-Control semantics.

* Update API docs to include caching info for every endpoint.

* Comment updates per PR feedback.

* Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear.

* Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
2018-10-10 16:55:34 +01:00
Jack Pearkes a1bd33da11
website: use 127.0.0.1 instead of consul.rocks (#4523)
By default, the Consul agent listens on the local interface
at port 8500 for API requests. This change makes the API examples
using `curl` copy-pasteable for this default configuration.
2018-08-28 09:07:15 -07:00
Paul Banks cb340cefea
Intention ACL API clarification (#4547) 2018-08-20 20:33:15 +01:00
jjshanks 12342e0d0e Update intentions documentation to clarify ACL behavior (#4546)
* Update intentions documentation to clarify ACL behavior

* Incorprate @banks suggestions into docs

* Fix my own typos!
2018-08-20 20:03:53 +01:00
Miroslav Bagljas 8f7e87439a Fixes #4483: Add support for Authorization: Bearer token Header (#4502)
Added Authorization Bearer token support as per RFC6750

* appended Authorization header token parsing after X-Consul-Token
* added test cases
* updated website documentation to mention Authorization header

* improve tests, improve Bearer parsing
2018-08-17 16:18:42 -04:00
Jeff Escalante 2dea506400 a couple more corrections 2018-07-27 19:39:44 -04:00
Jeff Escalante 60e1450606 fix a couple html errors (#4456) 2018-07-26 16:30:24 -07:00
Kyle Havlovitz ecc02c6aee
Merge pull request #4400 from hashicorp/leaf-cert-ttl
Add configurable leaf cert TTL to Connect CA
2018-07-25 17:53:25 -07:00
Geoffrey Grosenbach 39aa3a34ff Remove deprecated Ruby consul-client library (#4419)
The GitHub repo for this library says that it is no longer maintained
and should not be used. The Ruby Diplomat library provides similar
functionality instead (and is already listed here).
2018-07-25 11:47:54 -07:00
Paul Banks 2d5be9a07e
Merge pull request #4427 from hashicorp/connect-api-docs
Add /health/connect to docs and make consistent with /catalog/connect
2018-07-20 21:24:57 +01:00
Paul Banks b3ab641a99
Add /health/connect to docs and make consistent with /catalog/connect 2018-07-20 16:50:28 +01:00
Kyle Havlovitz ce29660245
website: update docs for leaf cert TTL option 2018-07-16 13:33:42 -07:00
Mitchell Hashimoto 77e30d4fa5
website: document alias check 2018-07-12 21:14:36 -07:00
Leonid Stryzhevskyi 930774dc29
oatpp-consul integration added to Libraries & SDKs page 2018-07-09 17:28:03 +03:00
Jack Pearkes 45e9d5e009 website: correct paramater for service meta on catalog register
I believe this may have been missed as part of #3994. Note that the
API _returns_ `ServiceMeta`, but accepts `Meta`.

$ curl -X PUT -d \
  '{
    "Datacenter": "dc1",
    "Node": "example",
    "Address": "www.example.com",
    "Service": {
      "Service": "example-service",
      "Port": 80,
      "Meta": {"foo": "bar"}
      }
  }' \
  http://localhost:8500/v1/catalog/register

$ curl localhost:8500/v1/catalog/service/example-service
[
  {
    "ID": "",
    "Node": "example",
    "Address": "www.example.com",
    "Datacenter": "dc1",
    "TaggedAddresses": null,
    "NodeMeta": null,
    "ServiceKind": "",
    "ServiceID": "example-service",
    "ServiceName": "example-service",
    "ServiceTags": [],
    "ServiceAddress": "",
    "ServiceMeta": {
      "foo": "bar"
    },
    "ServicePort": 80,
    "ServiceEnableTagOverride": false,
    "ServiceProxyDestination": "",
    "ServiceConnect": {
      "Native": false,
      "Proxy": null
    },
    "CreateIndex": 11,
    "ModifyIndex": 37
  }
]
2018-06-26 12:15:23 -07:00
mkeeler 1da3c42867 Merge remote-tracking branch 'connect/f-connect' 2018-06-25 19:42:51 +00:00
Jack Pearkes d3cec142d4 website: fix an assortment of broken links 2018-06-25 12:26:24 -07:00
Kyle Havlovitz 837f23441d connect/ca: hide the RotationPeriod config field since it isn't used yet 2018-06-25 12:26:18 -07:00
Mitchell Hashimoto 2244844bee website: document the precedence table 2018-06-25 12:24:16 -07:00
Mitchell Hashimoto 53c62b7a97 website: clarify where constraints go 2018-06-25 12:24:12 -07:00
Mitchell Hashimoto 5bc17838f3 api: support ExecuteConnect 2018-06-25 12:24:12 -07:00
Mitchell Hashimoto ad382d7351 agent: switch ConnectNative to an embedded struct 2018-06-25 12:24:10 -07:00