Commit Graph

9089 Commits

Author SHA1 Message Date
Matt Keeler 8fa3d61d25
Implement CLI token cloning & special ID handling (#4827)
* Implement CLI token cloning & special ID handling

* Update a couple CLI commands to take some alternative options.

* Document the CLI.

* Update the policy list and set-agent-token synopsis
2018-10-24 10:24:29 -04:00
Matt Keeler 0dd537e506
Fix the NonVoter Bootstrap test (#4786) 2018-10-24 10:23:50 -04:00
Martin Logan ca9a54bea5 website: Update deprecated script tag in example. (#4790)
Signed-off-by: Martin Logan <mlogan@fanatics.com>
2018-10-24 07:21:20 -07:00
Andreas Sommer c0b44c1af7 website: explain script exit code 1 in health check introduction guide (#4769) 2018-10-24 07:09:41 -07:00
Dhi Aurrahman 342e2696dc connect: Fix comment DYNAMIC_DNS to LOGICAL_DNS (#4799)
LOGICAL_DNS is one of the supported service discovery types [1].

[1] https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/service_discovery#arch-overview-service-discovery-types
2018-10-24 07:02:01 -07:00
Matt Keeler dc8403834d
Single quote a directory (#4846)
Allows building the dev docker container to work when you have spaces in your cwd.
2018-10-24 09:48:19 -04:00
Matt Keeler c95927a9a8
Fix some uuids and make it clear that the SecretID is used for agent tokens (#4845) 2018-10-24 09:47:55 -04:00
Jack Pearkes d88c2eff11 website: add link to rc announce 2018-10-19 13:37:47 -07:00
Matt Keeler b816bee165 ACL documentation (#4824)
* Updating the ACL guide.

* Update the docs correctly

* Finish updating the ACL docs - for now.
2018-10-19 13:26:31 -07:00
banks 1724b30c9e
Release v1.4.0-rc1 2018-10-19 18:57:23 +00:00
Matt Keeler 08509f9526
Dont expect the freebsd/arm build 2018-10-19 14:50:51 -04:00
Matt Keeler 1f9fd5c071
Merge pull request #4823 from hashicorp/build-gopsutil
Fix build on uncommon platforms
2018-10-19 14:40:17 -04:00
Jack Pearkes 5951f842d3 vendor: upgrade to latest version of gopsutil 2018-10-19 11:33:23 -07:00
Jack Pearkes 61b91e7ba2 build: exclude freebsd/arm 2018-10-19 11:32:35 -07:00
Kyle Havlovitz 6f40708aca fsm: add Intention operations to transactions for internal use 2018-10-19 10:02:28 -07:00
Jack Pearkes 405db688f8
Update CHANGELOG.md 2018-10-19 09:57:06 -07:00
Jack Pearkes c2d8bea82a Update CHANGELOG.md 2018-10-19 09:54:59 -07:00
John Cowen 2dabff0e17
Update CHANGELOG.md 2018-10-19 17:50:04 +01:00
Matt Keeler 1d13e4ee57
Merge pull request #4822 from hashicorp/mis
A few misc fixes found by go vet
2018-10-19 12:42:56 -04:00
John Cowen 42919e91bb
ui: Adds multi syntax linting to the code editor (#4814) 2018-10-19 17:36:38 +01:00
Matt Keeler ec780595cb
Update CHANGELOG.md 2018-10-19 12:36:16 -04:00
Matt Keeler df507a4a55 A few misc fixes found by go vet 2018-10-19 12:28:36 -04:00
Matt Keeler 4c6afd2496
Merge pull request #4821 from hashicorp/release/1.4-staging
1.4 Release
2018-10-19 12:08:36 -04:00
Matt Keeler 99e0a124cb
New ACLs (#4791)
This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week.
Description

At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers.

On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though.

    Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though.
    All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management.
    Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are:
        A server running the new system must still support other clients using the legacy system.
        A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system.
        The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode.

So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 12:04:07 -04:00
Jack Pearkes a10297c15b
website: minor notes about 1.4.0 (#4820) 2018-10-19 08:52:56 -07:00
Rebecca Zanzig f18a74e705 Update docs to include multiple tag support (#4797)
* Update docs to include multiple tag support

* Sort tags before using them in metrics

This addresses the potential proliferation of metrics if a query of
"?tag=foo&tag=bar" is treated differently than "?tag=bar&tag=foo".
Now, tags are always sorted before being recorded, making these two
emit the same metric.

* Add caveat about multiple tags returned by the metrics endpoint
2018-10-19 16:52:17 +01:00
John Cowen 52a62f2b8d UI: New ACLs (#4789)
UI to accompany the new ACLs APIs
2018-10-19 08:45:05 -07:00
Hans Hasselberg bd37633df8 Update CHANGELOG.md 2018-10-19 08:45:02 -07:00
Hans Hasselberg d9a530f9ae Update CHANGELOG.md 2018-10-19 08:44:18 -07:00
Hans Hasselberg 36bcea9f33 website: update sprockets and ffi to dodge CVEs (#4781)
* Update sprockets to dodge CVE-2018-3760 and CVE-2014-7819
* update ffi to dodge CVE-2018-1000201
2018-10-19 08:41:04 -07:00
Pierre Souchay a72f92cac6 dns: implements prefix lookups for DNS TTL (#4605)
This will fix https://github.com/hashicorp/consul/issues/4509 and allow forinstance lb-* to match services lb-001 or lb-service-007.
2018-10-19 08:41:04 -07:00
Aestek 2e1015b3ba website: add service weights documentation in API doc (#4776)
Adds weights documentation to the following API routes :
* Agent: List Services
* Agent Register Service
* Health: List Nodes for Service
2018-10-19 08:41:03 -07:00
Jack Pearkes e0e33aee26 website: note Envoy support in Nomad guide (#4787) 2018-10-19 08:41:03 -07:00
Jack Pearkes 197d62c6ca New command: consul debug (#4754)
* agent/debug: add package for debugging, host info

* api: add v1/agent/host endpoint

* agent: add v1/agent/host endpoint

* command/debug: implementation of static capture

* command/debug: tests and only configured targets

* agent/debug: add basic test for host metrics

* command/debug: add methods for dynamic data capture

* api: add debug/pprof endpoints

* command/debug: add pprof

* command/debug: timing, wg, logs to disk

* vendor: add gopsutil/disk

* command/debug: add a usage section

* website: add docs for consul debug

* agent/host: require operator:read

* api/host: improve docs and no retry timing

* command/debug: fail on extra arguments

* command/debug: fixup file permissions to 0644

* command/debug: remove server flags

* command/debug: improve clarity of usage section

* api/debug: add Trace for profiling, fix profile

* command/debug: capture profile and trace at the same time

* command/debug: add index document

* command/debug: use "clusters" in place of members

* command/debug: remove address in output

* command/debug: improve comment on metrics sleep

* command/debug: clarify usage

* agent: always register pprof handlers and protect

This will allow us to avoid a restart of a target agent
for profiling by always registering the pprof handlers.

Given this is a potentially sensitive path, it is protected
with an operator:read ACL and enable debug being
set to true on the target agent. enable_debug still requires
a restart.

If ACLs are disabled, enable_debug is sufficient.

* command/debug: use trace.out instead of .prof

More in line with golang docs.

* agent: fix comment wording

* agent: wrap table driven tests in t.run()
2018-10-19 08:41:03 -07:00
Kyle Havlovitz 96a35f8abc re-add Connect multi-dc config changes
This reverts commit 8bcfbaffb6588b024cd1a3cf0952e6bfa7d9e900.
2018-10-19 08:41:03 -07:00
John Cowen 3ec70b62a3
ui: Fix freetext searching within the nodes page (#4819)
Essentially this was missing a call to `super`. The error unfortuantely
didn't arise in the tests as it only errors when the node list has 4
items are more (the 4 columns), and the acceptence tests by change were
only filling the page with 3 nodes for test purposes.

I've bumped the amount of nodes up to 4 in the tests, which then causes
the tests to fail, made the fix by adding the `super` call, and the
tests now pass.

I also tested the UI/text searching on a 10,000 node system, and
everything now works as expected.
2018-10-19 14:31:22 +01:00
Rebecca Zanzig eb81b49c34
Merge pull request #4812 from hashicorp/docs/helm-16
Add additional formatting detail to the Helm `join` command docs
2018-10-18 13:43:13 -07:00
Rebecca Zanzig e81571d6e9 Add additional formatting detail to the Helm `join` command
In response to consul-helm issue 16.
2018-10-17 12:53:44 -07:00
R.B. Boyer f15bce9f20
fix some test hangs (#4785)
The default http.Client uses infinite timeouts, so if TestHTTPAPI_MethodNotAllowed_OSS experienced anything going wrong about setup it could hang forever.

Switching to hard coding various http.Client timeouts to non-infinite values at least bounds the failure time.
2018-10-16 16:04:51 -05:00
Jack Pearkes e3b4fafe36 Putting source back into Dev Mode 2018-10-11 13:31:27 -07:00
Jack Pearkes df2efb9658 website: bump website for 1.3.0 2018-10-11 11:27:54 -07:00
banks b4696ee554 Release v1.3.0 2018-10-11 18:21:46 +00:00
Assel Meher f2321679d6 typo: s/checks/services (#4783) 2018-10-11 18:48:51 +01:00
Jack Pearkes 847a0a5266 Revert "Connect multi-dc config" (#4784) 2018-10-11 17:32:45 +01:00
Paul Banks 29cf51812b
Update CHANGELOG.md 2018-10-11 13:35:02 +01:00
danielehc 6c12a35834
Update creating-certificates.html.md (#4780)
In case `verify_server_hostname` is set in the configuration, Consul checks the certificate against  `server.<datacenter>.<domain>`.

The name suggested by the guide generates errors like the following:
```
2018/10/10 12:42:20 [ERR] consul: Failed to confirm peer status for consul-3: rpc error getting client: failed to get conn: x509: certificate is valid for server.node.consul.labs, localhost, not server.consul.labs. Retrying in 16s...
```

Removing the `node` part from the certificate permits them to work also when that option is set.
2018-10-11 14:23:51 +02:00
Aestek 260a9880ae [Security] Add finer control over script checks (#4715)
* Add -enable-local-script-checks options

These options allow for a finer control over when script checks are enabled by
giving the option to only allow them when they are declared from the local
file system.

* Add documentation for the new option

* Nitpick doc wording
2018-10-11 13:22:11 +01:00
Paul Banks bf741cbc04
Quick fix for cache age flakiness in CI 2018-10-11 13:12:19 +01:00
Paul Banks 731e86a851
Update CHANGELOG.md 2018-10-11 12:56:05 +01:00
Rebecca Zanzig 0ec6d880f5 Support multiple tags for health and catalog http api endpoints (#4717)
* Support multiple tags for health and catalog api endpoints

Fixes #1781.

Adds a `ServiceTags` field to the ServiceSpecificRequest to support
multiple tags, updates the filter logic in the catalog store, and
propagates these change through to the health and catalog endpoints.

Note: Leaves `ServiceTag` in the struct, since it is being used as
part of the DNS lookup, which in turn uses the health check.

* Update the api package to support multiple tags

Includes additional tests.

* Update new tests to use the `require` library

* Update HealthConnect check after a bad merge
2018-10-11 12:50:05 +01:00