Daniel Nephin
a0e08086f7
Merge pull request #10988 from hashicorp/dnephin/acl-legacy-remove-config
...
acl: isolate deprecated config and warn when they are used
2021-09-29 11:40:14 -04:00
Daniel Nephin
3f4f7d2f3f
Merge pull request #9456 from hashicorp/dnephin/config-deprecation
...
config: Use DeprecatedConfig struct for deprecated config fields
2021-09-29 11:37:40 -04:00
Evan Culver
cb5ef13fde
Merge remote-tracking branch 'origin/eculver/remove-envoy-1.15' into eculver/remove-envoy-1.15
2021-09-28 16:06:36 -07:00
Evan Culver
eaa9394cb2
Fix typo
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-09-29 01:05:45 +02:00
Evan Culver
64f94b10ce
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-28 15:59:43 -07:00
Evan Culver
807871224a
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 15:58:20 -07:00
Chris S. Kim
3f79aaf509
Cleanup unnecessary normalizing method ( #11169 )
2021-09-28 15:31:12 -04:00
Daniel Nephin
4ed9476a61
Merge pull request #11084 from krastin/krastin-autopilot-loggingtypo
...
Fix a tiny typo in logging in autopilot.go
2021-09-28 15:11:11 -04:00
Evan Culver
e2363c13ff
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 11:54:33 -07:00
Chris S. Kim
90fe20c3a2
agent: Clean up unused built-in proxy config ( #11165 )
2021-09-28 11:29:10 -04:00
Daniel Nephin
30fe14eed3
acl: fix default authorizer for down_policy
...
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632 .
2021-09-23 18:12:22 -04:00
Daniel Nephin
a6a7069ecf
Remove t.Parallel from TestACLResolver_DownPolicy
...
These tests run in under 10ms, t.Parallel does nothing but slow them down and
make failures harder to debug when one panics.
2021-09-23 18:12:22 -04:00
Dhia Ayachi
4505cb2920
Refactor table index acl phase 2 ( #11133 )
...
* extract common methods from oss and ent
* remove unreachable code
* add missing normalize for binding rules
* fix oss to use Query
2021-09-23 15:26:09 -04:00
Daniel Nephin
cc46fcc53e
config: Move ACLEnableKeyListPolicy to DeprecatedConfig
2021-09-23 15:15:00 -04:00
Daniel Nephin
107c24a68a
config: move acl_ttl to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Daniel Nephin
5eb2bebdf8
config: move acl_{default,down}_policy to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Daniel Nephin
408eb0e08e
config: Deprecate EnableACLReplication
...
replaced by ACL.TokenReplication
2021-09-23 15:14:59 -04:00
Daniel Nephin
d54db5917f
config: move ACL master token and replication to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Paul Banks
f8412cf5fa
Merge pull request #10903 from hashicorp/feature/ingress-sds
...
Add Support to for providing TLS certificates for Ingress listeners from an SDS source
2021-09-23 16:19:05 +01:00
Dhia Ayachi
ebe333b947
Refactor table index ( #11131 )
...
* convert tableIndex to use the new pattern
* make `indexFromString` available for oss as well
* refactor `indexUpdateMaxTxn`
2021-09-23 11:06:23 -04:00
Paul Banks
d57931124f
Final readability tweaks from review
2021-09-23 10:17:12 +01:00
Paul Banks
66c625a64d
Fix subtle loop bug and add test
2021-09-23 10:13:41 +01:00
Paul Banks
7198d0bd80
Refactor SDS validation to make it more contained and readable
2021-09-23 10:13:19 +01:00
Paul Banks
fe4f69613c
Refactor Ingress-specific lister code to separate file
2021-09-23 10:13:19 +01:00
Paul Banks
f4f0793a10
Minor PR typo and cleanup fixes
2021-09-23 10:13:19 +01:00
Paul Banks
4cc1ccf892
Revert abandonned changes to proxycfg for Ent test consistency
2021-09-23 10:13:19 +01:00
Paul Banks
d812a0edc7
Fix merge conflict in xds tests
2021-09-23 10:12:37 +01:00
Paul Banks
a24efd20fc
Fix some more Enterprise Normalization issues affecting tests
2021-09-23 10:12:37 +01:00
Paul Banks
15969327c0
Remove unused argument to fix lint error
2021-09-23 10:09:11 +01:00
Paul Banks
9422e4ebc7
Handle namespaces in route names correctly; add tests for enterprise
2021-09-23 10:09:11 +01:00
Paul Banks
9d576a08dc
Update xDS routes to support ingress services with different TLS config
2021-09-23 10:08:02 +01:00
Paul Banks
8a4254a894
Update xDS Listeners with SDS support
2021-09-23 10:08:02 +01:00
Paul Banks
8548e15f1b
Update proxycfg to hold more ingress config state
2021-09-23 10:08:02 +01:00
Paul Banks
0e410a1b1f
Add ingress-gateway config for SDS
2021-09-23 10:08:02 +01:00
Daniel Nephin
3e6dc2a843
acl: remove ACL.Apply
...
As part of removing the legacy ACL system.
2021-09-22 18:28:08 -04:00
Daniel Nephin
2ce64e2837
acl: made acl rules in tests slightly more specific
...
When converting these tests from the legacy ACL system to the new RPC endpoints I
initially changed most things to use _prefix rules, because that was equivalent to
the old legacy rules.
This commit modifies a few of those rules to be a bit more specific by replacing the _prefix
rule with a non-prefix one where possible.
2021-09-22 18:24:56 -04:00
Mark Anderson
c87d57bfeb
partitions/authmethod-index work from enterprise ( #11056 )
...
* partitions/authmethod-index work from enterprise
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-22 13:19:20 -07:00
Chris S. Kim
d222f170a7
connect: Allow upstream listener escape hatch for prepared queries ( #11109 )
2021-09-22 15:27:10 -04:00
Evan Culver
88a899d06a
connect: remove support for Envoy 1.15
2021-09-22 11:48:50 -07:00
R.B. Boyer
ba13416b57
grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters ( #11099 )
...
Fixes #11086
2021-09-22 13:14:26 -05:00
Daniel Nephin
66453d2de9
config: Move two more fields to DeprecatedConfig
...
And add a test for deprecated config fields.
2021-09-22 13:23:03 -04:00
Daniel Nephin
23f070e0a1
config: Introduce DeprecatedConfig
...
This struct allows us to move all the deprecated config options off of
the main config struct, and keeps all the deprecation logic in a single
place, instead of spread across 3+ places.
2021-09-22 13:22:16 -04:00
Evan Culver
4d222cfcd0
add 1.19.x versions to test config
2021-09-22 09:30:45 -07:00
Connor
bc04a155fb
Merge pull request #11090 from hashicorp/clly/kv-usage-metrics
...
Add KVUsage to consul state usage metrics
2021-09-22 11:26:56 -05:00
Connor Kelly
bfe6b64ca7
Strip out go 1.17 bits
2021-09-22 11:04:48 -05:00
Matt Keeler
7c1ef8f515
Add a mock Agent delegate to ease/improve some types of testing
2021-09-22 10:23:01 -04:00
hc-github-team-consul-core
320b20c708
auto-updated agent/uiserver/bindata_assetfs.go from commit 9c0233cf5
2021-09-22 13:05:38 +00:00
hc-github-team-consul-core
949416c071
auto-updated agent/uiserver/bindata_assetfs.go from commit cfbd1bb84
2021-09-22 09:26:14 +00:00
Daniel Nephin
b40bdc9e98
acl: remove remaining tests that use ACL.Apply
...
In preparation for removing ACL.Apply.
Tests for ACL.Apply, ACL.GetPolicy, and ACL upgrades were removed
because all 3 of those will be removed shortly.
The forth test appears to be for the ACLResolver cache, so the test was moved to the correct
test file, and the name was updated to make it obvious what is being tested.
2021-09-21 19:35:26 -04:00
Evan Culver
69f4cc7532
regenerate envoy golden files
2021-09-21 16:21:00 -07:00
Evan Culver
b104b7719c
add envoy 1.19.1
2021-09-21 15:39:36 -07:00
Daniel Nephin
ab91d254a3
fsm: restore the legacy commands
...
and emit a helpful error message.
2021-09-21 18:35:12 -04:00
Daniel Nephin
0180dd67ff
Convert tests to the new ACL system
...
In preparation for removing ACL.Apply
2021-09-21 18:35:12 -04:00
Daniel Nephin
b639f47e3c
config: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
Daniel Nephin
2702aecc27
catalog: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
Daniel Nephin
b6218b75d9
Update 4 non-acl tests that used the legacy ACL.Apply
...
These tests don't really care about the endpoint, they just need some way to create an ACL token.
2021-09-21 17:57:29 -04:00
Daniel Nephin
ad9748adc3
acl: remove two commented out tests for legacy ACL replication
...
They were commented out in 2018.
2021-09-21 17:57:29 -04:00
Daniel Nephin
5a31a2e167
acl: replace legacy Get and List RPCs with an error impl
...
These endpoints are being removed as part of the legacy ACL system.
2021-09-21 17:57:29 -04:00
Daniel Nephin
26f3380688
acl: remove a couple legacy ACL operation constants
...
structs.ACLForceSet was deprecated 4 years ago, it should be safe to remove now.
ACLBootstrapNow was removed in a recent commit. While it is technically possible that a cluster with mixed version
could still attempt a legacy boostrap, we documented that the legacy system was deprecated in 1.4, so no
clusters that are being upgraded should be attempting a legacy boostrap.
2021-09-21 17:57:29 -04:00
Daniel Nephin
af8c10afc4
acl: Remove unused ACLPolicyIDType
2021-09-21 17:57:29 -04:00
Daniel Nephin
5493ff06cc
Merge pull request #10985 from hashicorp/dnephin/acl-legacy-remove-replication
...
acl: remove legacy ACL replication
2021-09-21 17:56:54 -04:00
Connor
64852cd3e5
Apply suggestions from code review
...
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2021-09-21 10:52:46 -05:00
R.B. Boyer
2773bd94d7
xds: fix representation of incremental xDS subscriptions ( #10987 )
...
Fixes #10563
The `resourceVersion` map was doing two jobs prior to this PR. The first job was
to track what version of every resource we know envoy currently has. The
second was to track subscriptions to those resources (by way of the empty
string for a version). This mostly works out fine, but occasionally leads to
consul removing a resource and accidentally (effectively) unsubscribing at the
same time.
The fix separates these two jobs. When all of the resources for a subscription
are removed we continue to track the subscription until envoy explicitly
unsubscribes
2021-09-21 09:58:56 -05:00
Connor Kelly
973b7b5c78
Fix test
2021-09-20 13:44:43 -05:00
Connor Kelly
698fc291a9
Add KVUsage to consul state usage metrics
...
This change will add the number of entries in the consul KV store to the
already existing usage metrics.
2021-09-20 12:41:54 -05:00
R.B. Boyer
55b36dd056
xds: ensure the active streams counters are 64 bit aligned on 32 bit systems ( #11085 )
2021-09-20 11:07:11 -05:00
Krastin Krastev
ba13dbf24c
Update autopilot.go
...
Fixing a minuscule typo in logging
2021-09-20 14:40:58 +02:00
Freddy
f1b2ef30d1
Merge pull request #11071 from hashicorp/partitions/ixn-decisions
2021-09-16 15:18:23 -06:00
freddygv
661f520841
Fixup proxycfg tproxy case
2021-09-16 15:05:28 -06:00
freddygv
12eec88dff
Remove ent checks from oss test
2021-09-16 14:53:28 -06:00
R.B. Boyer
7fa8f19077
acl: ensure the global management policy grants all necessary partition privileges ( #11072 )
2021-09-16 15:53:10 -05:00
freddygv
cf56be7d8d
Ensure partition is defaulted in authz
2021-09-16 14:39:01 -06:00
freddygv
b5a8935bb8
Default the partition in ixn check
2021-09-16 14:39:01 -06:00
freddygv
caafc1905e
Fixup test
2021-09-16 14:39:01 -06:00
freddygv
8a9bf3748c
Account for partitions in ixn match/decision
2021-09-16 14:39:01 -06:00
Jeff Widman
a8f396c55f
Bump go-discover
to fix broken dep tree ( #10898 )
2021-09-16 15:31:22 -04:00
hc-github-team-consul-core
5a6f9e38b1
auto-updated agent/uiserver/bindata_assetfs.go from commit 1d9d3349c
2021-09-16 17:31:08 +00:00
R.B. Boyer
4e7b6888e3
acl: fix intention:*:write checks ( #11061 )
...
This is a partial revert of #10793
2021-09-16 11:08:45 -05:00
Freddy
88627700d0
Merge pull request #11051 from hashicorp/partitions/fixes
2021-09-16 09:29:00 -06:00
Freddy
494764ee2d
acl: small resolver changes to account for partitions ( #11052 )
...
Also refactoring the enterprise side of a test to make it easier to reason about.
2021-09-16 09:17:02 -05:00
freddygv
7927a97c2f
Fixup manager tests
2021-09-15 17:24:05 -06:00
freddygv
dc549eca30
Default partition in match endpoint
2021-09-15 17:23:52 -06:00
freddygv
0cdcbbb4c9
Pass partition to intention match query
2021-09-15 17:23:52 -06:00
freddygv
a57c52ca32
Ensure partition is used for SAN validation
2021-09-15 17:23:48 -06:00
Mark Anderson
08b222cfc3
ACL Binding Rules table partitioning ( #11044 )
...
* ACL Binding Rules table partitioning
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 13:26:08 -07:00
hc-github-team-consul-core
23e3f865b0
auto-updated agent/uiserver/bindata_assetfs.go from commit fc14a412f
2021-09-15 18:55:29 +00:00
hc-github-team-consul-core
abe0195257
auto-updated agent/uiserver/bindata_assetfs.go from commit b16a6fa03
2021-09-15 17:14:42 +00:00
Dhia Ayachi
25ea1a9276
use const instead of literals for tableIndex
( #11039 )
2021-09-15 10:24:04 -04:00
Mark Anderson
ffe3806aaf
Refactor indexAuthMethod
in tableACLBindingRules
( #11029 )
...
* Port consul-enterprise #1123 to OSS
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* Fixup missing query field
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* change to re-trigger ci system
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 09:34:19 -04:00
Freddy
8804577de1
Merge pull request #11024 from hashicorp/partitions/rbac
2021-09-14 11:18:19 -06:00
Freddy
27f40ccf51
Update error texts ( #11022 )
...
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-09-14 11:08:06 -06:00
freddygv
f209408918
Update spiffe ID patterns used for RBAC
2021-09-14 11:00:03 -06:00
freddygv
0e30151eaa
Expand testing of simplifyNotSourceSlice for partitions
2021-09-14 10:55:15 -06:00
freddygv
a65da57a3d
Expand testing of removeSameSourceIntentions for partitions
2021-09-14 10:55:09 -06:00
freddygv
e9d78a20c7
Account for partition when matching src intentions
2021-09-14 10:55:02 -06:00
Daniel Nephin
44d91ea56f
Add failures_before_warning to checks ( #10969 )
...
Signed-off-by: Jakub Sokołowski <jakub@status.im>
* agent: add failures_before_warning setting
The new setting allows users to specify the number of check failures
that have to happen before a service status us updated to be `warning`.
This allows for more visibility for detected issues without creating
alerts and pinging administrators. Unlike the previous behavior, which
caused the service status to not update until it reached the configured
`failures_before_critical` setting, now Consul updates the Web UI view
with the `warning` state and the output of the service check when
`failures_before_warning` is breached.
The default value of `FailuresBeforeWarning` is the same as the value of
`FailuresBeforeCritical`, which allows for retaining the previous default
behavior of not triggering a warning.
When `FailuresBeforeWarning` is set to a value higher than that of
`FailuresBeforeCritical it has no effect as `FailuresBeforeCritical`
takes precedence.
Resolves: https://github.com/hashicorp/consul/issues/10680
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Co-authored-by: Jakub Sokołowski <jakub@status.im>
2021-09-14 12:47:52 -04:00
Dhia Ayachi
4992218676
convert expiration indexed in ACLToken table to use indexerSingle
( #11018 )
...
* move intFromBool to be available for oss
* add expiry indexes
* remove dead code: `TokenExpirationIndex`
* fix remove indexer `TokenExpirationIndex`
* fix rebase issue
2021-09-13 14:37:16 -04:00
Dhia Ayachi
1f23bdf388
add locality indexer partitioning ( #11016 )
...
* convert `Roles` index to use `indexerSingle`
* split authmethod write indexer to oss and ent
* add index locality
* add locality unit tests
* move intFromBool to be available for oss
* use Bool func
* refactor `aclTokenList` to merge func
2021-09-13 11:53:00 -04:00
Dhia Ayachi
3638825db8
convert indexAuthMethod
index to use indexerSingle
( #11014 )
...
* convert `Roles` index to use `indexerSingle`
* fix oss build
* split authmethod write indexer to oss and ent
* add auth method unit tests
2021-09-10 16:56:56 -04:00
Paul Banks
ecbe8f0656
Include namespace and partition in error messages when validating ingress header manip
2021-09-10 21:11:00 +01:00