Matt Keeler
b3ba709b3d
Remove x509 name constraints
...
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Matt Keeler
8b27c3268a
Make sure we omit the Kind value in JSON if empty
2018-06-25 12:26:10 -07:00
Matt Keeler
2f90768662
Vendor the vault api
2018-06-25 12:26:10 -07:00
Kyle Havlovitz
6ad5476f1b
website: fix example config in vault CA docs
2018-06-25 12:26:09 -07:00
Jack Pearkes
c7f5344076
bump to beta4
2018-06-25 12:26:01 -07:00
Mitchell Hashimoto
593b7b4b1e
website: add vs. Envoy page
2018-06-25 12:25:43 -07:00
Mitchell Hashimoto
6bc30a4216
website: address Armon's feedback
2018-06-25 12:25:43 -07:00
Mitchell Hashimoto
cebcf542f2
website: remove redundant "as well"
2018-06-25 12:25:43 -07:00
Mitchell Hashimoto
11e675dfa1
website: address pearkes feedback
2018-06-25 12:25:43 -07:00
Mitchell Hashimoto
eecb2e6d99
website: address feedback
2018-06-25 12:25:43 -07:00
Mitchell Hashimoto
596b72e971
website: istio vs. and nomad platform guide
2018-06-25 12:25:43 -07:00
Jack Pearkes
0c43a0f448
update UI to latest
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
859eaea5c4
connect/ca: pull the cluster ID from config during a rotation
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
a67bfa2c1b
connect/ca: use weak type decoding in the Vault config parsing
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
fcc5dc6110
connect/ca: leave blank root key/cert out of the default config (unnecessary)
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
76aa137ffc
website: add Vault CA provider doc sections
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
f3089a6647
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
f79e3e3fa5
connect/ca: add leaf verify check to cross-signing tests
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
cea94d0bcf
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
675555c4ff
connect/ca: update Vault provider to add cross-signing methods
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
a97c44c1ba
connect/ca: add URI SAN support to the Vault provider
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
7b0845ccde
connect/ca: fix vault provider URI SANs and test
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
a98b85b25c
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
6ecc0c8099
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Paul Banks
b4fbeb0453
Note leadership issues in comments
2018-06-25 12:25:41 -07:00
Paul Banks
21fb98ad5a
Fix test broken by final telemetry PR change!
2018-06-25 12:25:40 -07:00
Paul Banks
824a9b4943
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
John Cowen
9e3f3780fa
Check for NOT connect-proxy
2018-06-25 12:25:40 -07:00
John Cowen
ceabb8b439
Filter Source and Destination menus by Kind
2018-06-25 12:25:40 -07:00
Matt Keeler
cbf31a467f
Output the service Kind in the /v1/internal/ui/services endpoint
2018-06-25 12:25:40 -07:00
Paul Banks
ad4df3c3ef
Fix merge error
2018-06-25 12:25:40 -07:00
Paul Banks
1d6e1ace11
register TCP check for managed proxies
2018-06-25 12:25:40 -07:00
Paul Banks
d1810ba338
Make proxy only listen after initial certs are fetched
2018-06-25 12:25:40 -07:00
John Cowen
2f56c6e1be
Fix linting typo, caused the selection of future services to break
2018-06-25 12:25:40 -07:00
Paul Banks
e3cbbf4eed
Add proxy telemetry to docs
2018-06-25 12:25:39 -07:00
Paul Banks
42e28fa4d1
Limit proxy telemetry config to only be visible with authenticated with a proxy token
2018-06-25 12:25:39 -07:00
Paul Banks
ba6e909ed7
Misc test fixes
2018-06-25 12:25:39 -07:00
Paul Banks
ca68136ac7
Refactor to use embedded struct.
2018-06-25 12:25:39 -07:00
Paul Banks
86a55892fd
Remove go-diff vendor as assert.JSONEq output is way better for our case
2018-06-25 12:25:39 -07:00
Paul Banks
6deadef6bd
Revert telemetry config changes ready for cleaner approach
2018-06-25 12:25:39 -07:00
Paul Banks
23be6ad1c8
StartupTelemetry => InitTelemetry
2018-06-25 12:25:39 -07:00
Paul Banks
fd3681f35b
Allow user override of proxy telemetry config
2018-06-25 12:25:38 -07:00
Paul Banks
530d4acc57
Misc rebase and test fixes
2018-06-25 12:25:38 -07:00
Paul Banks
ca9640030e
Basic proxy active conns and bandwidth telemetry
2018-06-25 12:25:38 -07:00
Paul Banks
8ed46d7701
Add accessor and helpers to SDK for fetching self-name and client service ID
2018-06-25 12:25:38 -07:00
Paul Banks
ff162ffdde
Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about
2018-06-25 12:25:38 -07:00
Paul Banks
93f346431b
WIP
2018-06-25 12:25:38 -07:00
Paul Banks
ced9b2bee4
Expose telemetry config from RuntimeConfig to proxy config endpoint
2018-06-25 12:25:38 -07:00
Paul Banks
2df422e1e5
Disable TestAgent proxy execution properly
2018-06-25 12:25:38 -07:00
Paul Banks
81bd1b43a3
Fix hot loop in cache for RPC returning zero index.
2018-06-25 12:25:37 -07:00