8ae6ee4e36
acl: remove legacy parameter to ACLDatacenter
...
It is no longer used now that legacy ACLs have been removed.
2021-10-25 17:25:14 -04:00
d778113773
acl: remove ACLTokenTypeManagement
2021-10-25 17:25:14 -04:00
88c6aeea34
acl: remove legacy arg to store.ACLTokenSet
...
And remove the tests for legacy=true
2021-10-25 17:25:14 -04:00
b31a7fc498
acl: remove EmbeddedPolicy
...
This method is no longer. It only existed for legacy tokens, which are no longer supported.
2021-10-25 17:25:14 -04:00
ceaa36f983
acl: remove tests for resolving legacy tokens
...
The code for this was already removed, which suggests this is not actually testing what it claims.
I'm guessing these are still resolving because the tokens are converted to non-legacy tokens?
2021-10-25 17:25:14 -04:00
a46e3bd2fc
acl: stop replication on leadership lost
...
It seems like this was missing. Previously this was only called by init of ACLs during an upgrade.
Now that legacy ACLs are removed, nothing was calling stop.
Also remove an unused method from client.
2021-10-25 17:24:12 -04:00
15cd8c7ab8
Remove incorrect TODO
2021-10-25 17:20:06 -04:00
589b238374
acl: move the legacy ACL struct to the one package where it is used
...
It is now only used for restoring snapshots. We can remove it in phase 2.
2021-10-25 17:20:06 -04:00
0ba5d0afcd
acl: remove most of the rest of structs/acl_legacy.go
2021-10-25 17:20:06 -04:00
6433a57d3c
fix autopilot_failure_tolerance, add autopilot metrics test case ( #11399 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-25 10:55:59 -07:00
75f69a98a2
fix leadership transfer on leave suggestions ( #11387 )
...
* add suggestions
* set isLeader to false when leadership transfer succeed
2021-10-21 14:02:26 -04:00
2d1ac1f7d0
try to perform a leadership transfer when leaving ( #11376 )
...
* try to perform a leadership transfer when leaving
* add a changelog
2021-10-21 12:44:31 -04:00
752a285552
Add new service-exports config entry
2021-10-20 12:24:18 -07:00
55dd52cb17
acl: small OSS refactors to help ensure that auth methods with namespace rules work with partitions ( #11323 )
2021-10-14 15:38:05 -05:00
f76fddb28e
Use stored entmeta to fill authzContext
2021-10-14 08:57:40 -06:00
bdf3e951f8
Ensure partition is handled by auto-encrypt
2021-10-14 08:32:45 -06:00
0a6d683c84
Update Intentions.List with partitions ( #11299 )
2021-10-13 10:47:12 -04:00
2cd80e5f66
Merge pull request #11222 from hashicorp/clly/service-mesh-metrics
...
Start tracking connect service mesh usage metrics
2021-10-11 14:35:03 -05:00
2119351f77
Replace fmt.Sprintf with function
2021-10-11 12:43:38 -05:00
571acb872e
ca: extract primaryUpdateRootCA
...
This function is only run when the CAManager is a primary. Extracting this function
makes it clear which parts of UpdateConfiguration are run only in the primary and
also makes the cleanup logic simpler. Instead of both a defer and a local var we
can call the cleanup function in two places.
2021-10-10 15:26:55 -04:00
a65594d8ec
ca: rename functions to use a primary or secondary prefix
...
This commit renames functions to use a consistent pattern for identifying the functions that
can only be called when the Manager is run as the primary or secondary.
This is a step toward eventually creating separate types and moving these methods off of CAManager.
2021-10-10 15:26:55 -04:00
20f0efd8c1
ca: make receiver variable name consistent
...
Every other method uses c not ca
2021-10-10 15:26:55 -04:00
7f28301212
fix consul_autopilot_healthy metric emission ( #11231 )
...
https://github.com/hashicorp/consul/issues/10730
2021-10-08 10:31:50 -07:00
38986d6371
Rename ConfigUsageEnterprise to EnterpriseConfigEntryUsage
2021-10-08 10:53:34 -05:00
76b3c4ed3c
Rename and prefix ConfigEntry in Usage table
...
Rename ConfigUsage functions to ConfigEntry
prefix ConfigEntry kinds with the ConfigEntry table name to prevent
potential conflicts
2021-10-07 16:19:55 -05:00
0e39a7a333
Add connect specific prefix to Usage table
...
Ensure that connect Kind's are separate from ConfigEntry Kind's to
prevent miscounting
2021-10-07 16:16:23 -05:00
51e498717f
docs: add notice that legacy ACLs have been removed.
...
Add changelog
Also remove a metric that is no longer emitted that was missed in a
previous step.
2021-10-05 18:30:22 -04:00
f9ba7c39b5
Add changelog, website and metric docs
...
Add changelog to document what changed.
Add entry to telemetry section of the website to document what changed
Add docs to the usagemetric endpoint to help document the metrics in code
2021-10-05 13:34:24 -05:00
e03b7e4c68
Merge pull request #11182 from hashicorp/dnephin/acl-legacy-remove-upgrade
...
acl: remove upgrade from legacy, start in non-legacy mode
2021-10-04 17:25:39 -04:00
b9f0014d70
acl: remove updateEnterpriseSerfTags
...
The only remaining caller is a test helper, and the tests don't use the enterprise gossip
pools.
2021-10-04 17:01:51 -04:00
5ac360b22d
Merge pull request #11126 from hashicorp/dnephin/acl-legacy-remove-resolve-and-get-policy
...
acl: remove ACL.GetPolicy RPC endpoint and ACLResolver.resolveTokenLegacy
2021-10-04 16:29:51 -04:00
ed5693b537
Add metrics to count the number of service-mesh config entries
2021-10-04 14:50:17 -05:00
9c487389cf
Add metrics to count connect native service mesh instances
...
This will add the counts of the service mesh instances tagged by
whether or not it is connect native
2021-10-04 14:37:05 -05:00
8000ea45ca
Add metrics to count service mesh Kind instance counts
...
This will add the counts of service mesh instances tagged by the
different ServiceKind's.
2021-10-04 14:36:59 -05:00
b6435259c3
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Remove the early WaitForLeader in dc2, because with it the test was
failing with ACL not found.
2021-10-01 18:03:10 -04:00
8bd52995d1
fix token list by auth method ( #11196 )
...
* add tests to OIDC authmethod and fix entMeta when retrieving auth-methods
* fix oss compilation error
2021-10-01 12:00:43 -04:00
ec935a2486
acl: call stop for the upgrade goroutine when done
...
TestAgentLeaks_Server was reporting a goroutine leak without this. Not sure if it would actually
be a leak in production or if this is due to the test setup, but seems easy enough to call it
this way until we remove legacyACLTokenUpgrade.
2021-09-29 17:36:43 -04:00
0c077d0527
acl: only run startACLUpgrade once
...
Since legacy ACL tokens can no longer be created we only need to run this upgrade a single
time when leadership is estalbished.
2021-09-29 16:22:01 -04:00
f21097beda
acl: remove reading of serf acl tags
...
We no long need to read the acl serf tag, because servers are always either ACL enabled or
ACL disabled.
We continue to write the tag so that during an upgarde older servers will see the tag.
2021-09-29 15:45:11 -04:00
b866e3c4f4
acl: fix test failure
...
For some reason removing legacy ACL upgrade requires using an ACL token now
for this WaitForLeader.
2021-09-29 15:21:30 -04:00
ebb2388605
acl: remove legacy ACL upgrades from Server
...
As part of removing the legacy ACL system
2021-09-29 15:19:23 -04:00
41a97360ca
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Use the root token in WaitForLeader, because without it the test was
failing with ACL not found.
2021-09-29 15:15:50 -04:00
b73b68d696
acl: remove ACL.GetPolicy endpoint and resolve legacy acls
...
And all code that was no longer used once those two were removed.
2021-09-29 14:33:19 -04:00
b8da06a34d
acl: remove ACL upgrading from Clients
...
As part of removing the legacy ACL system ACL upgrading and the flag for
legacy ACLs is removed from Clients.
This commit also removes the 'acls' serf tag from client nodes. The tag is only ever read
from server nodes.
This commit also introduces a constant for the acl serf tag, to make it easier to track where
it is used.
2021-09-29 14:02:38 -04:00
33a5448604
Merge pull request #11136 from hashicorp/dnephin/acl-resolver-fix-default-authz
...
acl: fix default Authorizer for down_policy extend-cache/async-cache
2021-09-29 13:45:12 -04:00
2995ac61f2
acl: remove the last of the legacy FSM
...
Replace it with an implementation that returns an error, and rename some symbols
to use a Deprecated suffix to make it clear.
Also remove the ACLRequest struct, which is no longer referenced.
2021-09-29 12:42:23 -04:00
a8358f7575
acl: remove bootstrap-init FSM operation
2021-09-29 12:42:23 -04:00
ea2e0ad2ec
acl: remove initializeLegacyACL from leader init
2021-09-29 12:42:23 -04:00
4e36442583
acl: remove ACLDelete FSM command, and state store function
...
These are no longer used now that ACL.Apply has been removed.
2021-09-29 12:42:23 -04:00
7e37c9a765
acl: remove legacy field to ACLBoostrap
2021-09-29 12:42:23 -04:00
d4c48a3f23
Merge pull request #11101 from hashicorp/dnephin/acl-legacy-remove-rpc-2
...
acl: remove legacy ACL.Apply RPC
2021-09-29 12:23:55 -04:00
69a83aefcf
Merge pull request #11177 from hashicorp/dnephin/remove-entmeta-methods
...
structs: remove EnterpriseMeta helper methods
2021-09-29 12:08:07 -04:00
acb62aa896
Merge pull request #10986 from hashicorp/dnephin/acl-legacy-remove-rpc
...
acl: remove legacy ACL RPC - part 1
2021-09-29 12:04:09 -04:00
1bc07c5166
structs: rename the last helper method.
...
This one gets used a bunch, but we can rename it to make the behaviour more obvious.
2021-09-29 11:48:38 -04:00
93b3e110b6
structs: remove another helper
...
We already have a helper funtion.
2021-09-29 11:48:03 -04:00
3f79aaf509
Cleanup unnecessary normalizing method ( #11169 )
2021-09-28 15:31:12 -04:00
4ed9476a61
Merge pull request #11084 from krastin/krastin-autopilot-loggingtypo
...
Fix a tiny typo in logging in autopilot.go
2021-09-28 15:11:11 -04:00
30fe14eed3
acl: fix default authorizer for down_policy
...
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632 .
2021-09-23 18:12:22 -04:00
a6a7069ecf
Remove t.Parallel from TestACLResolver_DownPolicy
...
These tests run in under 10ms, t.Parallel does nothing but slow them down and
make failures harder to debug when one panics.
2021-09-23 18:12:22 -04:00
4505cb2920
Refactor table index acl phase 2 ( #11133 )
...
* extract common methods from oss and ent
* remove unreachable code
* add missing normalize for binding rules
* fix oss to use Query
2021-09-23 15:26:09 -04:00
ebe333b947
Refactor table index ( #11131 )
...
* convert tableIndex to use the new pattern
* make `indexFromString` available for oss as well
* refactor `indexUpdateMaxTxn`
2021-09-23 11:06:23 -04:00
3e6dc2a843
acl: remove ACL.Apply
...
As part of removing the legacy ACL system.
2021-09-22 18:28:08 -04:00
2ce64e2837
acl: made acl rules in tests slightly more specific
...
When converting these tests from the legacy ACL system to the new RPC endpoints I
initially changed most things to use _prefix rules, because that was equivalent to
the old legacy rules.
This commit modifies a few of those rules to be a bit more specific by replacing the _prefix
rule with a non-prefix one where possible.
2021-09-22 18:24:56 -04:00
c87d57bfeb
partitions/authmethod-index work from enterprise ( #11056 )
...
* partitions/authmethod-index work from enterprise
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-22 13:19:20 -07:00
ba13416b57
grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters ( #11099 )
...
Fixes #11086
2021-09-22 13:14:26 -05:00
bc04a155fb
Merge pull request #11090 from hashicorp/clly/kv-usage-metrics
...
Add KVUsage to consul state usage metrics
2021-09-22 11:26:56 -05:00
bfe6b64ca7
Strip out go 1.17 bits
2021-09-22 11:04:48 -05:00
b40bdc9e98
acl: remove remaining tests that use ACL.Apply
...
In preparation for removing ACL.Apply.
Tests for ACL.Apply, ACL.GetPolicy, and ACL upgrades were removed
because all 3 of those will be removed shortly.
The forth test appears to be for the ACLResolver cache, so the test was moved to the correct
test file, and the name was updated to make it obvious what is being tested.
2021-09-21 19:35:26 -04:00
ab91d254a3
fsm: restore the legacy commands
...
and emit a helpful error message.
2021-09-21 18:35:12 -04:00
0180dd67ff
Convert tests to the new ACL system
...
In preparation for removing ACL.Apply
2021-09-21 18:35:12 -04:00
b639f47e3c
config: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
2702aecc27
catalog: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
ad9748adc3
acl: remove two commented out tests for legacy ACL replication
...
They were commented out in 2018.
2021-09-21 17:57:29 -04:00
5a31a2e167
acl: replace legacy Get and List RPCs with an error impl
...
These endpoints are being removed as part of the legacy ACL system.
2021-09-21 17:57:29 -04:00
26f3380688
acl: remove a couple legacy ACL operation constants
...
structs.ACLForceSet was deprecated 4 years ago, it should be safe to remove now.
ACLBootstrapNow was removed in a recent commit. While it is technically possible that a cluster with mixed version
could still attempt a legacy boostrap, we documented that the legacy system was deprecated in 1.4, so no
clusters that are being upgraded should be attempting a legacy boostrap.
2021-09-21 17:57:29 -04:00
5493ff06cc
Merge pull request #10985 from hashicorp/dnephin/acl-legacy-remove-replication
...
acl: remove legacy ACL replication
2021-09-21 17:56:54 -04:00
64852cd3e5
Apply suggestions from code review
...
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2021-09-21 10:52:46 -05:00
973b7b5c78
Fix test
2021-09-20 13:44:43 -05:00
698fc291a9
Add KVUsage to consul state usage metrics
...
This change will add the number of entries in the consul KV store to the
already existing usage metrics.
2021-09-20 12:41:54 -05:00
ba13dbf24c
Update autopilot.go
...
Fixing a minuscule typo in logging
2021-09-20 14:40:58 +02:00
f1b2ef30d1
Merge pull request #11071 from hashicorp/partitions/ixn-decisions
2021-09-16 15:18:23 -06:00
7fa8f19077
acl: ensure the global management policy grants all necessary partition privileges ( #11072 )
2021-09-16 15:53:10 -05:00
b5a8935bb8
Default the partition in ixn check
2021-09-16 14:39:01 -06:00
caafc1905e
Fixup test
2021-09-16 14:39:01 -06:00
8a9bf3748c
Account for partitions in ixn match/decision
2021-09-16 14:39:01 -06:00
a8f396c55f
Bump `go-discover` to fix broken dep tree ( #10898 )
2021-09-16 15:31:22 -04:00
4e7b6888e3
acl: fix intention:*:write checks ( #11061 )
...
This is a partial revert of #10793
2021-09-16 11:08:45 -05:00
88627700d0
Merge pull request #11051 from hashicorp/partitions/fixes
2021-09-16 09:29:00 -06:00
494764ee2d
acl: small resolver changes to account for partitions ( #11052 )
...
Also refactoring the enterprise side of a test to make it easier to reason about.
2021-09-16 09:17:02 -05:00
dc549eca30
Default partition in match endpoint
2021-09-15 17:23:52 -06:00
08b222cfc3
ACL Binding Rules table partitioning ( #11044 )
...
* ACL Binding Rules table partitioning
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 13:26:08 -07:00
25ea1a9276
use const instead of literals for `tableIndex` ( #11039 )
2021-09-15 10:24:04 -04:00
ffe3806aaf
Refactor `indexAuthMethod` in `tableACLBindingRules` ( #11029 )
...
* Port consul-enterprise #1123 to OSS
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* Fixup missing query field
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* change to re-trigger ci system
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 09:34:19 -04:00
4992218676
convert expiration indexed in ACLToken table to use `indexerSingle` ( #11018 )
...
* move intFromBool to be available for oss
* add expiry indexes
* remove dead code: `TokenExpirationIndex`
* fix remove indexer `TokenExpirationIndex`
* fix rebase issue
2021-09-13 14:37:16 -04:00
1f23bdf388
add locality indexer partitioning ( #11016 )
...
* convert `Roles` index to use `indexerSingle`
* split authmethod write indexer to oss and ent
* add index locality
* add locality unit tests
* move intFromBool to be available for oss
* use Bool func
* refactor `aclTokenList` to merge func
2021-09-13 11:53:00 -04:00
3638825db8
convert `indexAuthMethod` index to use `indexerSingle` ( #11014 )
...
* convert `Roles` index to use `indexerSingle`
* fix oss build
* split authmethod write indexer to oss and ent
* add auth method unit tests
2021-09-10 16:56:56 -04:00
3484d77b18
Fix enterprise discovery chain tests; Fix multi-level split merging
2021-09-10 21:11:00 +01:00
5c6d27555b
Fix discovery chain test fixtures
2021-09-10 21:09:24 +01:00
1dd1683ed9
Header manip for split legs plumbing
2021-09-10 21:09:24 +01:00
82b30f8020
convert `Roles` index to use `indexerMulti` ( #11013 )
...
* convert `Roles` index to use `indexerMulti`
* add role test in oss
* fix oss to use the right index func
* preallocate slice
2021-09-10 16:04:33 -04:00
Daniel Nephin