Commit Graph

8299 Commits

Author SHA1 Message Date
Matt Keeler b3ba709b3d Remove x509 name constraints
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Matt Keeler 8b27c3268a Make sure we omit the Kind value in JSON if empty 2018-06-25 12:26:10 -07:00
Matt Keeler 2f90768662 Vendor the vault api 2018-06-25 12:26:10 -07:00
Kyle Havlovitz 6ad5476f1b website: fix example config in vault CA docs 2018-06-25 12:26:09 -07:00
Jack Pearkes c7f5344076 bump to beta4 2018-06-25 12:26:01 -07:00
Mitchell Hashimoto 593b7b4b1e website: add vs. Envoy page 2018-06-25 12:25:43 -07:00
Mitchell Hashimoto 6bc30a4216 website: address Armon's feedback 2018-06-25 12:25:43 -07:00
Mitchell Hashimoto cebcf542f2 website: remove redundant "as well" 2018-06-25 12:25:43 -07:00
Mitchell Hashimoto 11e675dfa1 website: address pearkes feedback 2018-06-25 12:25:43 -07:00
Mitchell Hashimoto eecb2e6d99 website: address feedback 2018-06-25 12:25:43 -07:00
Mitchell Hashimoto 596b72e971 website: istio vs. and nomad platform guide 2018-06-25 12:25:43 -07:00
Jack Pearkes 0c43a0f448 update UI to latest 2018-06-25 12:25:42 -07:00
Kyle Havlovitz 859eaea5c4 connect/ca: pull the cluster ID from config during a rotation 2018-06-25 12:25:42 -07:00
Kyle Havlovitz a67bfa2c1b connect/ca: use weak type decoding in the Vault config parsing 2018-06-25 12:25:42 -07:00
Kyle Havlovitz fcc5dc6110 connect/ca: leave blank root key/cert out of the default config (unnecessary) 2018-06-25 12:25:42 -07:00
Kyle Havlovitz 76aa137ffc website: add Vault CA provider doc sections 2018-06-25 12:25:42 -07:00
Kyle Havlovitz f3089a6647 connect/ca: undo the interface changes and use sign-self-issued in Vault 2018-06-25 12:25:42 -07:00
Kyle Havlovitz f79e3e3fa5 connect/ca: add leaf verify check to cross-signing tests 2018-06-25 12:25:41 -07:00
Kyle Havlovitz cea94d0bcf connect/ca: update Consul provider to use new cross-sign CSR method 2018-06-25 12:25:41 -07:00
Kyle Havlovitz 675555c4ff connect/ca: update Vault provider to add cross-signing methods 2018-06-25 12:25:41 -07:00
Kyle Havlovitz a97c44c1ba connect/ca: add URI SAN support to the Vault provider 2018-06-25 12:25:41 -07:00
Kyle Havlovitz 7b0845ccde connect/ca: fix vault provider URI SANs and test 2018-06-25 12:25:41 -07:00
Kyle Havlovitz a98b85b25c connect/ca: add the Vault CA provider 2018-06-25 12:25:41 -07:00
Paul Banks 6ecc0c8099 Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift 2018-06-25 12:25:41 -07:00
Paul Banks b4fbeb0453 Note leadership issues in comments 2018-06-25 12:25:41 -07:00
Paul Banks 21fb98ad5a Fix test broken by final telemetry PR change! 2018-06-25 12:25:40 -07:00
Paul Banks 824a9b4943 Actually return Intermediate certificates bundled with a leaf! 2018-06-25 12:25:40 -07:00
John Cowen 9e3f3780fa Check for NOT connect-proxy 2018-06-25 12:25:40 -07:00
John Cowen ceabb8b439 Filter Source and Destination menus by Kind 2018-06-25 12:25:40 -07:00
Matt Keeler cbf31a467f Output the service Kind in the /v1/internal/ui/services endpoint 2018-06-25 12:25:40 -07:00
Paul Banks ad4df3c3ef Fix merge error 2018-06-25 12:25:40 -07:00
Paul Banks 1d6e1ace11 register TCP check for managed proxies 2018-06-25 12:25:40 -07:00
Paul Banks d1810ba338 Make proxy only listen after initial certs are fetched 2018-06-25 12:25:40 -07:00
John Cowen 2f56c6e1be Fix linting typo, caused the selection of future services to break 2018-06-25 12:25:40 -07:00
Paul Banks e3cbbf4eed Add proxy telemetry to docs 2018-06-25 12:25:39 -07:00
Paul Banks 42e28fa4d1 Limit proxy telemetry config to only be visible with authenticated with a proxy token 2018-06-25 12:25:39 -07:00
Paul Banks ba6e909ed7 Misc test fixes 2018-06-25 12:25:39 -07:00
Paul Banks ca68136ac7 Refactor to use embedded struct. 2018-06-25 12:25:39 -07:00
Paul Banks 86a55892fd Remove go-diff vendor as assert.JSONEq output is way better for our case 2018-06-25 12:25:39 -07:00
Paul Banks 6deadef6bd Revert telemetry config changes ready for cleaner approach 2018-06-25 12:25:39 -07:00
Paul Banks 23be6ad1c8 StartupTelemetry => InitTelemetry 2018-06-25 12:25:39 -07:00
Paul Banks fd3681f35b Allow user override of proxy telemetry config 2018-06-25 12:25:38 -07:00
Paul Banks 530d4acc57 Misc rebase and test fixes 2018-06-25 12:25:38 -07:00
Paul Banks ca9640030e Basic proxy active conns and bandwidth telemetry 2018-06-25 12:25:38 -07:00
Paul Banks 8ed46d7701 Add accessor and helpers to SDK for fetching self-name and client service ID 2018-06-25 12:25:38 -07:00
Paul Banks ff162ffdde Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about 2018-06-25 12:25:38 -07:00
Paul Banks 93f346431b WIP 2018-06-25 12:25:38 -07:00
Paul Banks ced9b2bee4 Expose telemetry config from RuntimeConfig to proxy config endpoint 2018-06-25 12:25:38 -07:00
Paul Banks 2df422e1e5 Disable TestAgent proxy execution properly 2018-06-25 12:25:38 -07:00
Paul Banks 81bd1b43a3 Fix hot loop in cache for RPC returning zero index. 2018-06-25 12:25:37 -07:00