Daniel Nephin
4300daa2e6
telemetry: only emit leader cert expiry metrics on the servers
2021-10-27 15:19:25 -04:00
Daniel Nephin
9de725c17d
telemetry: prevent stale values from cert monitors
...
Prometheus scrapes metrics from each process, so when leadership transfers to a different node
the previous leader would still be reporting the old cached value.
By setting NaN, I believe we should zero-out the value, so that prometheus should only consider the
value from the new leader.
2021-10-27 15:19:25 -04:00
Daniel Nephin
616cc9b6f8
telemetry: improve cert expiry metrics
...
Emit the metric immediately so that after restarting an agent, the new expiry time will be
emitted. This is particularly important when this metric is being monitored, because we want
the alert to resovle itself immediately.
Also fixed a bug that was exposed in one of these metrics. The CARoot can be nil, so we have
to handle that case.
2021-10-27 15:19:25 -04:00
Daniel Nephin
24951f0c7e
subscribe: attempt to fix a flaky test
...
TestSubscribeBackend_IntegrationWithServer_DeliversAllMessages has been
flaking a few times. This commit cleans up the test a bit, and improves
the failure output.
I don't believe this actually fixes the flake, but I'm not able to
reproduce it reliably.
The failure appears to be that the event with Port=0 is being sent in
both the snapshot and as the first event after the EndOfSnapshot event.
Hopefully the improved logging will show us if these are really
duplicate events, or actually different events with different indexes.
2021-10-27 15:09:09 -04:00
Freddy
ae76144f55
Merge pull request #11435 from hashicorp/ent-authorizer-refactor
...
[OSS] Export ACLs refactor
2021-10-27 13:04:40 -06:00
Freddy
520bda999b
Merge pull request #11432 from hashicorp/ap/exports-mgw
...
[OSS] Update mesh gateways to handle partitions
2021-10-27 12:54:53 -06:00
freddygv
592965d61e
Rework acl exports interface
2021-10-27 12:50:39 -06:00
Freddy
9bbeea0432
Merge pull request #11433 from hashicorp/exported-service-acls
...
[OSS] acl: Expand ServiceRead and NodeRead to account for partition exports
2021-10-27 12:48:08 -06:00
freddygv
05f91bd2b8
Update comments
2021-10-27 12:36:44 -06:00
Freddy
d8ae915160
Merge pull request #11431 from hashicorp/ap/exports-proxycfg
...
[OSS] Update partitioned mesh gw handling for connect proxies
2021-10-27 11:27:43 -06:00
Freddy
8e23a6a0cc
Merge pull request #11416 from hashicorp/ap/exports-update
...
Rename service-exports to partition-exports
2021-10-27 11:27:31 -06:00
freddygv
40271beb38
Fixup partitions assertion
2021-10-27 11:15:25 -06:00
freddygv
67412ac5e7
Fixup imports
2021-10-27 11:15:25 -06:00
freddygv
4de3537391
Split up locality check from hostname check
2021-10-27 11:15:25 -06:00
freddygv
9769b31641
Move the exportingpartitions constant to enterprise
2021-10-27 11:15:25 -06:00
freddygv
0391a65772
Replace default partition check
2021-10-27 11:15:25 -06:00
freddygv
ee45ac9dc5
PR comments
2021-10-27 11:15:25 -06:00
freddygv
f99946553a
Leave todo about default name
2021-10-27 11:15:25 -06:00
freddygv
9d375ad6d2
Add oss impl of registerEntCache
2021-10-27 11:15:25 -06:00
freddygv
183849416b
Register the ExportingPartitions cache type
2021-10-27 11:15:25 -06:00
freddygv
8b5a9369eb
Account for partitions in xds gen for mesh gw
...
This commit avoids skipping gateways in remote partitions of the local
DC when generating listeners/clusters/endpoints.
2021-10-27 11:15:25 -06:00
freddygv
d1d513b1b3
Account for partition in SNI for gateways
2021-10-27 11:15:25 -06:00
freddygv
4f0432be5e
Update xds pkg to account for GatewayKey
2021-10-27 09:03:56 -06:00
freddygv
f3f15640a9
Update mesh gateway proxy watches for partitions
...
This commit updates mesh gateway watches for cross-partitions
communication.
* Mesh gateways are keyed by partition and datacenter.
* Mesh gateways will now watch gateways in partitions that export
services to their partition.
* Mesh gateways in non-default partitions will not have cross-datacenter
watches. They are not involved in traditional WAN federation.
2021-10-27 09:03:56 -06:00
freddygv
af662c8c1c
Avoid mixing named and unnamed params
2021-10-26 23:42:25 -06:00
freddygv
1de62bb0a2
Avoid passing nil config pointer
2021-10-26 23:42:25 -06:00
freddygv
4a2e40aa3c
Avoid panic on nil partitionAuthorizer config
...
partitionAuthorizer.config can be nil if it wasn't provided on calls to
newPartitionAuthorizer outside of the ACLResolver. This usage happens
often in tests.
This commit: adds a nil check when the config is going to be used,
updates non-test usage of NewPolicyAuthorizerWithDefaults to pass a
non-nil config, and dettaches setEnterpriseConf from the ACLResolver.
2021-10-26 23:42:25 -06:00
freddygv
015d85cd74
Update NodeRead for partition-exports
...
When issuing cross-partition service discovery requests, ACL filtering
often checks for NodeRead privileges. This is because the common return
type is a CheckServiceNode, which contains node data.
2021-10-26 23:42:11 -06:00
Kyle Havlovitz
afb0976eac
acl: pass PartitionInfo through ent ACLConfig
2021-10-26 23:41:52 -06:00
Kyle Havlovitz
56d1858c4a
acl: Expand ServiceRead logic to look at service-exports for cross-partition
2021-10-26 23:41:32 -06:00
freddygv
4737ad118d
Swap in structs.EqualPartitions for cmp
2021-10-26 23:36:01 -06:00
freddygv
1bade08f91
Replace Split with SplitN
2021-10-26 23:36:01 -06:00
freddygv
3966677aaf
Finish removing useInDatacenter
2021-10-26 23:36:01 -06:00
freddygv
69476221c1
Update XDS for sidecars dialing through gateways
2021-10-26 23:35:48 -06:00
freddygv
ea311d2e47
Configure sidecars to watch gateways in partitions
...
Previously the datacenter of the gateway was the key identifier, now it
is the datacenter and partition.
When dialing services in other partitions or datacenters we now watch
the appropriate partition.
2021-10-26 23:35:37 -06:00
freddygv
feaebde1f1
Remove useInDatacenter from disco chain requests
...
useInDatacenter was used to determine whether the mesh gateway mode of
the upstream should be returned in the discovery chain target. This
commit makes it so that the mesh gateway mode is returned every time,
and it is up to the caller to decide whether mesh gateways should be
watched or used.
2021-10-26 23:35:21 -06:00
R.B. Boyer
e27e58c6cc
agent: refactor the agent delegate interface to be partition friendly ( #11429 )
2021-10-26 15:08:55 -05:00
Chris S. Kim
27f8a85664
agent: Ensure partition is considered in agent endpoints ( #11427 )
2021-10-26 15:20:57 -04:00
Konstantine
2f9ee8e558
remove spaces
2021-10-26 12:38:13 -04:00
Konstantine
be14f6da90
fix altDomain responses for services where address is IP, added tests
2021-10-26 12:38:13 -04:00
Konstantine
eec9d66e22
fix encodeIPAsFqdn to return alt-domain when requested, added test case
2021-10-26 12:38:12 -04:00
Konstantine
9d6797a463
fixed altDomain response for NS type queries, and added test
2021-10-26 12:38:12 -04:00
Konstantine
0735e12412
edited TestDNS_AltDomains_Service to test responses for altDomains, and added TXT additional section check
2021-10-26 12:38:12 -04:00
Konstantine
8972e093d9
fixed alt-domain answer for SRV records, and TXT records in additional section
2021-10-26 12:38:12 -04:00
Chris S. Kim
3f736467e6
ui: Pass primary dc through to uiserver ( #11317 )
...
Co-authored-by: John Cowen <johncowen@users.noreply.github.com>
2021-10-26 10:30:17 -04:00
freddygv
83d4d0e108
Remove outdated partition label from test
2021-10-25 18:47:02 -06:00
freddygv
c3e381b4c1
Rename service-exports to partition-exports
...
Existing config entries prefixed by service- are specific to individual
services. Since this config entry applies to partitions it is being
renamed.
Additionally, the Partition label was changed to Name because using
Partition at the top-level and in the enterprise meta was leading to the
enterprise meta partition being dropped by msgpack.
2021-10-25 17:58:48 -06:00
Daniel Nephin
f24bad2a52
Merge pull request #11232 from hashicorp/dnephin/acl-legacy-remove-docs
...
acl: add docs and changelog for the removal of the legacy ACL system
2021-10-25 18:38:00 -04:00
Daniel Nephin
f7cdd210fe
Update agent/consul/acl_client.go
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-10-25 17:25:14 -04:00
Daniel Nephin
732b841dd7
state: remove support for updating legacy ACL tokens
2021-10-25 17:25:14 -04:00
Daniel Nephin
76b007dacd
acl: remove init check for legacy anon token
...
This token should always already be migrated from a previous version.
2021-10-25 17:25:14 -04:00
Daniel Nephin
8ae6ee4e36
acl: remove legacy parameter to ACLDatacenter
...
It is no longer used now that legacy ACLs have been removed.
2021-10-25 17:25:14 -04:00
Daniel Nephin
d778113773
acl: remove ACLTokenTypeManagement
2021-10-25 17:25:14 -04:00
Daniel Nephin
2f0eba1980
acl: remove ACLTokenTypeClient,
...
along with the last test referencing it.
2021-10-25 17:25:14 -04:00
Daniel Nephin
88c6aeea34
acl: remove legacy arg to store.ACLTokenSet
...
And remove the tests for legacy=true
2021-10-25 17:25:14 -04:00
Daniel Nephin
b31a7fc498
acl: remove EmbeddedPolicy
...
This method is no longer. It only existed for legacy tokens, which are no longer supported.
2021-10-25 17:25:14 -04:00
Daniel Nephin
ceaa36f983
acl: remove tests for resolving legacy tokens
...
The code for this was already removed, which suggests this is not actually testing what it claims.
I'm guessing these are still resolving because the tokens are converted to non-legacy tokens?
2021-10-25 17:25:14 -04:00
Daniel Nephin
a46e3bd2fc
acl: stop replication on leadership lost
...
It seems like this was missing. Previously this was only called by init of ACLs during an upgrade.
Now that legacy ACLs are removed, nothing was calling stop.
Also remove an unused method from client.
2021-10-25 17:24:12 -04:00
Daniel Nephin
15cd8c7ab8
Remove incorrect TODO
2021-10-25 17:20:06 -04:00
Daniel Nephin
589b238374
acl: move the legacy ACL struct to the one package where it is used
...
It is now only used for restoring snapshots. We can remove it in phase 2.
2021-10-25 17:20:06 -04:00
Daniel Nephin
0ba5d0afcd
acl: remove most of the rest of structs/acl_legacy.go
2021-10-25 17:20:06 -04:00
Paul Banks
ab5cdce760
Merge pull request #11163 from hashicorp/feature/ingress-tls-mixed
...
Add support for enabling connect-based ingress TLS per listener.
2021-10-25 21:36:01 +01:00
FFMMM
6433a57d3c
fix autopilot_failure_tolerance, add autopilot metrics test case ( #11399 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-25 10:55:59 -07:00
FFMMM
67a624a49f
use *telemetry.MetricsPrefix as prometheus.PrometheusOpts.Name ( #11290 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-21 13:33:01 -07:00
Dhia Ayachi
75f69a98a2
fix leadership transfer on leave suggestions ( #11387 )
...
* add suggestions
* set isLeader to false when leadership transfer succeed
2021-10-21 14:02:26 -04:00
Dhia Ayachi
2d1ac1f7d0
try to perform a leadership transfer when leaving ( #11376 )
...
* try to perform a leadership transfer when leaving
* add a changelog
2021-10-21 12:44:31 -04:00
Kyle Havlovitz
752a285552
Add new service-exports config entry
2021-10-20 12:24:18 -07:00
Jared Kirschner
716b05f934
Merge pull request #11293 from bisakhmondal/service_filter
...
expression validation of service-resolver subset filter
2021-10-20 08:57:37 -04:00
Paul Banks
4808b97d9c
Rebase and rebuild golden files for Envoy version bump
2021-10-19 21:37:58 +01:00
Paul Banks
ff405d35c7
Refactor `resolveListenerSDSConfig` to pass in whole config
2021-10-19 20:58:29 +01:00
Paul Banks
5c8702b182
Add support for enabling connect-based ingress TLS per listener.
2021-10-19 20:58:28 +01:00
Giulio Micheloni
b549de831d
Restored comment.
2021-10-16 18:05:32 +01:00
Giulio Micheloni
a5a4eb9cae
Separete test file and no stack trace in ret error
2021-10-16 18:02:03 +01:00
Giulio Micheloni
10814d934e
Merge branch 'main' of https://github.com/hashicorp/consul into hashicorp-main
2021-10-16 16:59:32 +01:00
R.B. Boyer
55dd52cb17
acl: small OSS refactors to help ensure that auth methods with namespace rules work with partitions ( #11323 )
2021-10-14 15:38:05 -05:00
freddygv
f76fddb28e
Use stored entmeta to fill authzContext
2021-10-14 08:57:40 -06:00
freddygv
bdf3e951f8
Ensure partition is handled by auto-encrypt
2021-10-14 08:32:45 -06:00
FFMMM
bb228ab165
fix: only add prom autopilot gauges to servers ( #11241 )
...
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-10-13 09:25:30 -07:00
Chris S. Kim
0a6d683c84
Update Intentions.List with partitions ( #11299 )
2021-10-13 10:47:12 -04:00
R.B. Boyer
3e8ece97a8
acl: fix bug in 'consul members' filtering with partitions ( #11263 )
2021-10-13 09:18:16 -05:00
Bisakh Mondal
929ad1e80f
add service resolver subset filter validation
2021-10-13 02:56:04 +05:30
Connor
2cd80e5f66
Merge pull request #11222 from hashicorp/clly/service-mesh-metrics
...
Start tracking connect service mesh usage metrics
2021-10-11 14:35:03 -05:00
Connor Kelly
2119351f77
Replace fmt.Sprintf with function
2021-10-11 12:43:38 -05:00
tarat44
baec141df3
preload json values in structs to determine defaults
2021-10-10 17:52:26 -04:00
Daniel Nephin
e37b5846fd
ca: split Primary/Secondary Provider
...
To make it more clear which methods are necessary for each scenario. This can
also prevent problems which force all DCs to use the same Vault instance, which
is currently a problem.
2021-10-10 15:48:02 -04:00
Daniel Nephin
571acb872e
ca: extract primaryUpdateRootCA
...
This function is only run when the CAManager is a primary. Extracting this function
makes it clear which parts of UpdateConfiguration are run only in the primary and
also makes the cleanup logic simpler. Instead of both a defer and a local var we
can call the cleanup function in two places.
2021-10-10 15:26:55 -04:00
Daniel Nephin
a65594d8ec
ca: rename functions to use a primary or secondary prefix
...
This commit renames functions to use a consistent pattern for identifying the functions that
can only be called when the Manager is run as the primary or secondary.
This is a step toward eventually creating separate types and moving these methods off of CAManager.
2021-10-10 15:26:55 -04:00
Daniel Nephin
20f0efd8c1
ca: make receiver variable name consistent
...
Every other method uses c not ca
2021-10-10 15:26:55 -04:00
tarat44
e3a18e5203
add test cases for h2ping_use_tls default behavior
2021-10-09 17:12:52 -04:00
FFMMM
7f28301212
fix consul_autopilot_healthy metric emission ( #11231 )
...
https://github.com/hashicorp/consul/issues/10730
2021-10-08 10:31:50 -07:00
Connor Kelly
38986d6371
Rename ConfigUsageEnterprise to EnterpriseConfigEntryUsage
2021-10-08 10:53:34 -05:00
Connor Kelly
76b3c4ed3c
Rename and prefix ConfigEntry in Usage table
...
Rename ConfigUsage functions to ConfigEntry
prefix ConfigEntry kinds with the ConfigEntry table name to prevent
potential conflicts
2021-10-07 16:19:55 -05:00
Connor Kelly
0e39a7a333
Add connect specific prefix to Usage table
...
Ensure that connect Kind's are separate from ConfigEntry Kind's to
prevent miscounting
2021-10-07 16:16:23 -05:00
tarat44
bda1998175
only set default on H2PingUseTLS if H2PING is set
2021-10-06 22:13:01 -04:00
Daniel Nephin
51e498717f
docs: add notice that legacy ACLs have been removed.
...
Add changelog
Also remove a metric that is no longer emitted that was missed in a
previous step.
2021-10-05 18:30:22 -04:00
Daniel Nephin
577f2649bf
acl: remove unused translate rules endpoint
...
The CLI command does not use this endpoint, so we can remove it. It was missed in an
earlier pass.
2021-10-05 18:26:05 -04:00
Connor Kelly
f9ba7c39b5
Add changelog, website and metric docs
...
Add changelog to document what changed.
Add entry to telemetry section of the website to document what changed
Add docs to the usagemetric endpoint to help document the metrics in code
2021-10-05 13:34:24 -05:00
Joshua Montgomery
5446009299
Fixing SOA record to use alt domain when alt domain in use ( #10431 )
2021-10-05 10:47:27 -04:00
tarat44
35faff55f8
fix test
2021-10-05 00:48:09 -04:00
tarat44
1c1405552a
fix formatting
2021-10-05 00:15:04 -04:00
tarat44
e46b41d04d
fix formatting
2021-10-05 00:12:23 -04:00
tarat44
f8b47cdfcd
change config option to H2PingUseTLS
2021-10-05 00:12:21 -04:00
tarat44
ed4ca3db49
add support for h2c in h2 ping health checks
2021-10-04 22:51:08 -04:00
Daniel Nephin
e03b7e4c68
Merge pull request #11182 from hashicorp/dnephin/acl-legacy-remove-upgrade
...
acl: remove upgrade from legacy, start in non-legacy mode
2021-10-04 17:25:39 -04:00
Evan Culver
e47c5c5ceb
Merge pull request #11118 from hashicorp/eculver/remove-envoy-1.15
...
Remove support for Envoy 1.15
2021-10-04 23:14:24 +02:00
Evan Culver
d279c60010
Merge pull request #11115 from hashicorp/eculver/envoy-1.19.1
...
Add support for Envoy 1.19.1
2021-10-04 23:13:26 +02:00
Daniel Nephin
b9f0014d70
acl: remove updateEnterpriseSerfTags
...
The only remaining caller is a test helper, and the tests don't use the enterprise gossip
pools.
2021-10-04 17:01:51 -04:00
Daniel Nephin
5ac360b22d
Merge pull request #11126 from hashicorp/dnephin/acl-legacy-remove-resolve-and-get-policy
...
acl: remove ACL.GetPolicy RPC endpoint and ACLResolver.resolveTokenLegacy
2021-10-04 16:29:51 -04:00
Connor Kelly
ed5693b537
Add metrics to count the number of service-mesh config entries
2021-10-04 14:50:17 -05:00
Connor Kelly
9c487389cf
Add metrics to count connect native service mesh instances
...
This will add the counts of the service mesh instances tagged by
whether or not it is connect native
2021-10-04 14:37:05 -05:00
Connor Kelly
8000ea45ca
Add metrics to count service mesh Kind instance counts
...
This will add the counts of service mesh instances tagged by the
different ServiceKind's.
2021-10-04 14:36:59 -05:00
Daniel Nephin
b6435259c3
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Remove the early WaitForLeader in dc2, because with it the test was
failing with ACL not found.
2021-10-01 18:03:10 -04:00
Evan Culver
e74ce0fb2e
Add 1.15 versions to too old list
2021-10-01 11:28:26 -07:00
Chris S. Kim
3c8ca0dbd2
agent: Reject partitions in legacy intention endpoints ( #11181 )
2021-10-01 13:18:57 -04:00
Chris S. Kim
bf94949d48
Support partitions in parseIntentionStringComponent ( #11202 )
2021-10-01 12:36:12 -04:00
Dhia Ayachi
8bd52995d1
fix token list by auth method ( #11196 )
...
* add tests to OIDC authmethod and fix entMeta when retrieving auth-methods
* fix oss compilation error
2021-10-01 12:00:43 -04:00
Evan Culver
4cdcaf3658
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-30 11:32:28 -07:00
Evan Culver
7b157bba4e
regenerate more envoy golden files
2021-09-30 10:57:47 -07:00
Daniel Nephin
ec935a2486
acl: call stop for the upgrade goroutine when done
...
TestAgentLeaks_Server was reporting a goroutine leak without this. Not sure if it would actually
be a leak in production or if this is due to the test setup, but seems easy enough to call it
this way until we remove legacyACLTokenUpgrade.
2021-09-29 17:36:43 -04:00
Daniel Nephin
0c077d0527
acl: only run startACLUpgrade once
...
Since legacy ACL tokens can no longer be created we only need to run this upgrade a single
time when leadership is estalbished.
2021-09-29 16:22:01 -04:00
Daniel Nephin
f21097beda
acl: remove reading of serf acl tags
...
We no long need to read the acl serf tag, because servers are always either ACL enabled or
ACL disabled.
We continue to write the tag so that during an upgarde older servers will see the tag.
2021-09-29 15:45:11 -04:00
Daniel Nephin
b866e3c4f4
acl: fix test failure
...
For some reason removing legacy ACL upgrade requires using an ACL token now
for this WaitForLeader.
2021-09-29 15:21:30 -04:00
Daniel Nephin
ebb2388605
acl: remove legacy ACL upgrades from Server
...
As part of removing the legacy ACL system
2021-09-29 15:19:23 -04:00
Daniel Nephin
41a97360ca
acl: fix test failures caused by remocving legacy ACLs
...
This commit two test failures:
1. Remove check for "in legacy ACL mode", the actual upgrade will be removed in a following commit.
2. Use the root token in WaitForLeader, because without it the test was
failing with ACL not found.
2021-09-29 15:15:50 -04:00
Daniel Nephin
b73b68d696
acl: remove ACL.GetPolicy endpoint and resolve legacy acls
...
And all code that was no longer used once those two were removed.
2021-09-29 14:33:19 -04:00
Daniel Nephin
b8da06a34d
acl: remove ACL upgrading from Clients
...
As part of removing the legacy ACL system ACL upgrading and the flag for
legacy ACLs is removed from Clients.
This commit also removes the 'acls' serf tag from client nodes. The tag is only ever read
from server nodes.
This commit also introduces a constant for the acl serf tag, to make it easier to track where
it is used.
2021-09-29 14:02:38 -04:00
Daniel Nephin
33a5448604
Merge pull request #11136 from hashicorp/dnephin/acl-resolver-fix-default-authz
...
acl: fix default Authorizer for down_policy extend-cache/async-cache
2021-09-29 13:45:12 -04:00
Daniel Nephin
afb1dd5827
Merge pull request #11110 from hashicorp/dnephin/acl-legacy-remove-initialize
...
acl: remove initializeLegacyACL and the rest of the legacy FSM commands
2021-09-29 13:44:30 -04:00
Daniel Nephin
a9ac148c92
Merge pull request #10999 from hashicorp/dnephin/revert-config-xds-port
...
Revert config xds_port
2021-09-29 13:39:15 -04:00
Daniel Nephin
bd28d23b55
command/envoy: stop using the DebugConfig from Self endpoint
...
The DebugConfig in the self endpoint can change at any time. It's not a stable API.
This commit adds the XDSPort to a stable part of the XDS api, and changes the envoy command to read
this new field.
It includes support for the old API as well, in case a newer CLI is used with an older API, and
adds a test for both cases.
2021-09-29 13:21:28 -04:00
Daniel Nephin
2995ac61f2
acl: remove the last of the legacy FSM
...
Replace it with an implementation that returns an error, and rename some symbols
to use a Deprecated suffix to make it clear.
Also remove the ACLRequest struct, which is no longer referenced.
2021-09-29 12:42:23 -04:00
Daniel Nephin
a8358f7575
acl: remove bootstrap-init FSM operation
2021-09-29 12:42:23 -04:00
Daniel Nephin
ea2e0ad2ec
acl: remove initializeLegacyACL from leader init
2021-09-29 12:42:23 -04:00
Daniel Nephin
4e36442583
acl: remove ACLDelete FSM command, and state store function
...
These are no longer used now that ACL.Apply has been removed.
2021-09-29 12:42:23 -04:00
Daniel Nephin
7e37c9a765
acl: remove legacy field to ACLBoostrap
2021-09-29 12:42:23 -04:00
Daniel Nephin
402d3792b6
Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc"
...
This reverts commit 74fb650b6b966588f8faeec26935a858af2b8bb5, reversing
changes made to 58bd8173364effb98b9fd9f9b98d31dd887a9bac.
2021-09-29 12:28:41 -04:00
Daniel Nephin
d4c48a3f23
Merge pull request #11101 from hashicorp/dnephin/acl-legacy-remove-rpc-2
...
acl: remove legacy ACL.Apply RPC
2021-09-29 12:23:55 -04:00
Daniel Nephin
69a83aefcf
Merge pull request #11177 from hashicorp/dnephin/remove-entmeta-methods
...
structs: remove EnterpriseMeta helper methods
2021-09-29 12:08:07 -04:00
Daniel Nephin
acb62aa896
Merge pull request #10986 from hashicorp/dnephin/acl-legacy-remove-rpc
...
acl: remove legacy ACL RPC - part 1
2021-09-29 12:04:09 -04:00
Daniel Nephin
1bc07c5166
structs: rename the last helper method.
...
This one gets used a bunch, but we can rename it to make the behaviour more obvious.
2021-09-29 11:48:38 -04:00
Daniel Nephin
93b3e110b6
structs: remove another helper
...
We already have a helper funtion.
2021-09-29 11:48:03 -04:00
Daniel Nephin
17652227f6
structs: remove two methods that were only used once each.
...
These methods only called a single function. Wrappers like this end up making code harder to read
because it adds extra ways of doing things.
We already have many helper functions for constructing these types, we don't need additional methods.
2021-09-29 11:47:03 -04:00
Daniel Nephin
a0e08086f7
Merge pull request #10988 from hashicorp/dnephin/acl-legacy-remove-config
...
acl: isolate deprecated config and warn when they are used
2021-09-29 11:40:14 -04:00
Daniel Nephin
3f4f7d2f3f
Merge pull request #9456 from hashicorp/dnephin/config-deprecation
...
config: Use DeprecatedConfig struct for deprecated config fields
2021-09-29 11:37:40 -04:00
Evan Culver
cb5ef13fde
Merge remote-tracking branch 'origin/eculver/remove-envoy-1.15' into eculver/remove-envoy-1.15
2021-09-28 16:06:36 -07:00
Evan Culver
eaa9394cb2
Fix typo
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-09-29 01:05:45 +02:00
Evan Culver
64f94b10ce
Merge branch 'eculver/envoy-1.19.1' into eculver/remove-envoy-1.15
2021-09-28 15:59:43 -07:00
Evan Culver
807871224a
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 15:58:20 -07:00
Chris S. Kim
3f79aaf509
Cleanup unnecessary normalizing method ( #11169 )
2021-09-28 15:31:12 -04:00
Daniel Nephin
4ed9476a61
Merge pull request #11084 from krastin/krastin-autopilot-loggingtypo
...
Fix a tiny typo in logging in autopilot.go
2021-09-28 15:11:11 -04:00
Evan Culver
e2363c13ff
Merge branch 'main' into eculver/envoy-1.19.1
2021-09-28 11:54:33 -07:00
Chris S. Kim
90fe20c3a2
agent: Clean up unused built-in proxy config ( #11165 )
2021-09-28 11:29:10 -04:00
Daniel Nephin
30fe14eed3
acl: fix default authorizer for down_policy
...
This was causing a nil panic because a nil authorizer is no longer valid after the cleanup done
in https://github.com/hashicorp/consul/pull/10632 .
2021-09-23 18:12:22 -04:00
Daniel Nephin
a6a7069ecf
Remove t.Parallel from TestACLResolver_DownPolicy
...
These tests run in under 10ms, t.Parallel does nothing but slow them down and
make failures harder to debug when one panics.
2021-09-23 18:12:22 -04:00
Dhia Ayachi
4505cb2920
Refactor table index acl phase 2 ( #11133 )
...
* extract common methods from oss and ent
* remove unreachable code
* add missing normalize for binding rules
* fix oss to use Query
2021-09-23 15:26:09 -04:00
Daniel Nephin
cc46fcc53e
config: Move ACLEnableKeyListPolicy to DeprecatedConfig
2021-09-23 15:15:00 -04:00
Daniel Nephin
107c24a68a
config: move acl_ttl to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Daniel Nephin
5eb2bebdf8
config: move acl_{default,down}_policy to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Daniel Nephin
408eb0e08e
config: Deprecate EnableACLReplication
...
replaced by ACL.TokenReplication
2021-09-23 15:14:59 -04:00
Daniel Nephin
d54db5917f
config: move ACL master token and replication to DeprecatedConfig
2021-09-23 15:14:59 -04:00
Paul Banks
f8412cf5fa
Merge pull request #10903 from hashicorp/feature/ingress-sds
...
Add Support to for providing TLS certificates for Ingress listeners from an SDS source
2021-09-23 16:19:05 +01:00
Dhia Ayachi
ebe333b947
Refactor table index ( #11131 )
...
* convert tableIndex to use the new pattern
* make `indexFromString` available for oss as well
* refactor `indexUpdateMaxTxn`
2021-09-23 11:06:23 -04:00
Paul Banks
d57931124f
Final readability tweaks from review
2021-09-23 10:17:12 +01:00
Paul Banks
66c625a64d
Fix subtle loop bug and add test
2021-09-23 10:13:41 +01:00
Paul Banks
7198d0bd80
Refactor SDS validation to make it more contained and readable
2021-09-23 10:13:19 +01:00
Paul Banks
fe4f69613c
Refactor Ingress-specific lister code to separate file
2021-09-23 10:13:19 +01:00
Paul Banks
f4f0793a10
Minor PR typo and cleanup fixes
2021-09-23 10:13:19 +01:00
Paul Banks
4cc1ccf892
Revert abandonned changes to proxycfg for Ent test consistency
2021-09-23 10:13:19 +01:00
Paul Banks
d812a0edc7
Fix merge conflict in xds tests
2021-09-23 10:12:37 +01:00
Paul Banks
a24efd20fc
Fix some more Enterprise Normalization issues affecting tests
2021-09-23 10:12:37 +01:00
Paul Banks
15969327c0
Remove unused argument to fix lint error
2021-09-23 10:09:11 +01:00
Paul Banks
9422e4ebc7
Handle namespaces in route names correctly; add tests for enterprise
2021-09-23 10:09:11 +01:00
Paul Banks
9d576a08dc
Update xDS routes to support ingress services with different TLS config
2021-09-23 10:08:02 +01:00
Paul Banks
8a4254a894
Update xDS Listeners with SDS support
2021-09-23 10:08:02 +01:00
Paul Banks
8548e15f1b
Update proxycfg to hold more ingress config state
2021-09-23 10:08:02 +01:00
Paul Banks
0e410a1b1f
Add ingress-gateway config for SDS
2021-09-23 10:08:02 +01:00
Daniel Nephin
3e6dc2a843
acl: remove ACL.Apply
...
As part of removing the legacy ACL system.
2021-09-22 18:28:08 -04:00
Daniel Nephin
2ce64e2837
acl: made acl rules in tests slightly more specific
...
When converting these tests from the legacy ACL system to the new RPC endpoints I
initially changed most things to use _prefix rules, because that was equivalent to
the old legacy rules.
This commit modifies a few of those rules to be a bit more specific by replacing the _prefix
rule with a non-prefix one where possible.
2021-09-22 18:24:56 -04:00
Mark Anderson
c87d57bfeb
partitions/authmethod-index work from enterprise ( #11056 )
...
* partitions/authmethod-index work from enterprise
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-22 13:19:20 -07:00
Chris S. Kim
d222f170a7
connect: Allow upstream listener escape hatch for prepared queries ( #11109 )
2021-09-22 15:27:10 -04:00
Evan Culver
88a899d06a
connect: remove support for Envoy 1.15
2021-09-22 11:48:50 -07:00
R.B. Boyer
ba13416b57
grpc: strip local ACL tokens from RPCs during forwarding if crossing datacenters ( #11099 )
...
Fixes #11086
2021-09-22 13:14:26 -05:00
Daniel Nephin
66453d2de9
config: Move two more fields to DeprecatedConfig
...
And add a test for deprecated config fields.
2021-09-22 13:23:03 -04:00
Daniel Nephin
23f070e0a1
config: Introduce DeprecatedConfig
...
This struct allows us to move all the deprecated config options off of
the main config struct, and keeps all the deprecation logic in a single
place, instead of spread across 3+ places.
2021-09-22 13:22:16 -04:00
Evan Culver
4d222cfcd0
add 1.19.x versions to test config
2021-09-22 09:30:45 -07:00
Connor
bc04a155fb
Merge pull request #11090 from hashicorp/clly/kv-usage-metrics
...
Add KVUsage to consul state usage metrics
2021-09-22 11:26:56 -05:00
Connor Kelly
bfe6b64ca7
Strip out go 1.17 bits
2021-09-22 11:04:48 -05:00
Matt Keeler
7c1ef8f515
Add a mock Agent delegate to ease/improve some types of testing
2021-09-22 10:23:01 -04:00
hc-github-team-consul-core
320b20c708
auto-updated agent/uiserver/bindata_assetfs.go from commit 9c0233cf5
2021-09-22 13:05:38 +00:00
hc-github-team-consul-core
949416c071
auto-updated agent/uiserver/bindata_assetfs.go from commit cfbd1bb84
2021-09-22 09:26:14 +00:00
Daniel Nephin
b40bdc9e98
acl: remove remaining tests that use ACL.Apply
...
In preparation for removing ACL.Apply.
Tests for ACL.Apply, ACL.GetPolicy, and ACL upgrades were removed
because all 3 of those will be removed shortly.
The forth test appears to be for the ACLResolver cache, so the test was moved to the correct
test file, and the name was updated to make it obvious what is being tested.
2021-09-21 19:35:26 -04:00
Evan Culver
69f4cc7532
regenerate envoy golden files
2021-09-21 16:21:00 -07:00
Evan Culver
b104b7719c
add envoy 1.19.1
2021-09-21 15:39:36 -07:00
Daniel Nephin
ab91d254a3
fsm: restore the legacy commands
...
and emit a helpful error message.
2021-09-21 18:35:12 -04:00
Daniel Nephin
0180dd67ff
Convert tests to the new ACL system
...
In preparation for removing ACL.Apply
2021-09-21 18:35:12 -04:00
Daniel Nephin
b639f47e3c
config: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
Daniel Nephin
2702aecc27
catalog: use the new ACL system in tests
...
In preparation for removing ACL.Apply
2021-09-21 17:57:29 -04:00
Daniel Nephin
b6218b75d9
Update 4 non-acl tests that used the legacy ACL.Apply
...
These tests don't really care about the endpoint, they just need some way to create an ACL token.
2021-09-21 17:57:29 -04:00
Daniel Nephin
ad9748adc3
acl: remove two commented out tests for legacy ACL replication
...
They were commented out in 2018.
2021-09-21 17:57:29 -04:00
Daniel Nephin
5a31a2e167
acl: replace legacy Get and List RPCs with an error impl
...
These endpoints are being removed as part of the legacy ACL system.
2021-09-21 17:57:29 -04:00
Daniel Nephin
26f3380688
acl: remove a couple legacy ACL operation constants
...
structs.ACLForceSet was deprecated 4 years ago, it should be safe to remove now.
ACLBootstrapNow was removed in a recent commit. While it is technically possible that a cluster with mixed version
could still attempt a legacy boostrap, we documented that the legacy system was deprecated in 1.4, so no
clusters that are being upgraded should be attempting a legacy boostrap.
2021-09-21 17:57:29 -04:00
Daniel Nephin
af8c10afc4
acl: Remove unused ACLPolicyIDType
2021-09-21 17:57:29 -04:00
Daniel Nephin
5493ff06cc
Merge pull request #10985 from hashicorp/dnephin/acl-legacy-remove-replication
...
acl: remove legacy ACL replication
2021-09-21 17:56:54 -04:00
Connor
64852cd3e5
Apply suggestions from code review
...
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
2021-09-21 10:52:46 -05:00
R.B. Boyer
2773bd94d7
xds: fix representation of incremental xDS subscriptions ( #10987 )
...
Fixes #10563
The `resourceVersion` map was doing two jobs prior to this PR. The first job was
to track what version of every resource we know envoy currently has. The
second was to track subscriptions to those resources (by way of the empty
string for a version). This mostly works out fine, but occasionally leads to
consul removing a resource and accidentally (effectively) unsubscribing at the
same time.
The fix separates these two jobs. When all of the resources for a subscription
are removed we continue to track the subscription until envoy explicitly
unsubscribes
2021-09-21 09:58:56 -05:00
Connor Kelly
973b7b5c78
Fix test
2021-09-20 13:44:43 -05:00
Connor Kelly
698fc291a9
Add KVUsage to consul state usage metrics
...
This change will add the number of entries in the consul KV store to the
already existing usage metrics.
2021-09-20 12:41:54 -05:00
R.B. Boyer
55b36dd056
xds: ensure the active streams counters are 64 bit aligned on 32 bit systems ( #11085 )
2021-09-20 11:07:11 -05:00
Krastin Krastev
ba13dbf24c
Update autopilot.go
...
Fixing a minuscule typo in logging
2021-09-20 14:40:58 +02:00
Freddy
f1b2ef30d1
Merge pull request #11071 from hashicorp/partitions/ixn-decisions
2021-09-16 15:18:23 -06:00
freddygv
661f520841
Fixup proxycfg tproxy case
2021-09-16 15:05:28 -06:00
freddygv
12eec88dff
Remove ent checks from oss test
2021-09-16 14:53:28 -06:00
R.B. Boyer
7fa8f19077
acl: ensure the global management policy grants all necessary partition privileges ( #11072 )
2021-09-16 15:53:10 -05:00
freddygv
cf56be7d8d
Ensure partition is defaulted in authz
2021-09-16 14:39:01 -06:00
freddygv
b5a8935bb8
Default the partition in ixn check
2021-09-16 14:39:01 -06:00
freddygv
caafc1905e
Fixup test
2021-09-16 14:39:01 -06:00
freddygv
8a9bf3748c
Account for partitions in ixn match/decision
2021-09-16 14:39:01 -06:00
Jeff Widman
a8f396c55f
Bump `go-discover` to fix broken dep tree ( #10898 )
2021-09-16 15:31:22 -04:00
hc-github-team-consul-core
5a6f9e38b1
auto-updated agent/uiserver/bindata_assetfs.go from commit 1d9d3349c
2021-09-16 17:31:08 +00:00
R.B. Boyer
4e7b6888e3
acl: fix intention:*:write checks ( #11061 )
...
This is a partial revert of #10793
2021-09-16 11:08:45 -05:00
Freddy
88627700d0
Merge pull request #11051 from hashicorp/partitions/fixes
2021-09-16 09:29:00 -06:00
Freddy
494764ee2d
acl: small resolver changes to account for partitions ( #11052 )
...
Also refactoring the enterprise side of a test to make it easier to reason about.
2021-09-16 09:17:02 -05:00
freddygv
7927a97c2f
Fixup manager tests
2021-09-15 17:24:05 -06:00
freddygv
dc549eca30
Default partition in match endpoint
2021-09-15 17:23:52 -06:00
freddygv
0cdcbbb4c9
Pass partition to intention match query
2021-09-15 17:23:52 -06:00
freddygv
a57c52ca32
Ensure partition is used for SAN validation
2021-09-15 17:23:48 -06:00
Mark Anderson
08b222cfc3
ACL Binding Rules table partitioning ( #11044 )
...
* ACL Binding Rules table partitioning
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 13:26:08 -07:00
hc-github-team-consul-core
23e3f865b0
auto-updated agent/uiserver/bindata_assetfs.go from commit fc14a412f
2021-09-15 18:55:29 +00:00
hc-github-team-consul-core
abe0195257
auto-updated agent/uiserver/bindata_assetfs.go from commit b16a6fa03
2021-09-15 17:14:42 +00:00
Dhia Ayachi
25ea1a9276
use const instead of literals for `tableIndex` ( #11039 )
2021-09-15 10:24:04 -04:00
Mark Anderson
ffe3806aaf
Refactor `indexAuthMethod` in `tableACLBindingRules` ( #11029 )
...
* Port consul-enterprise #1123 to OSS
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* Fixup missing query field
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
* change to re-trigger ci system
Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-09-15 09:34:19 -04:00
Freddy
8804577de1
Merge pull request #11024 from hashicorp/partitions/rbac
2021-09-14 11:18:19 -06:00
Freddy
27f40ccf51
Update error texts ( #11022 )
...
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-09-14 11:08:06 -06:00
freddygv
f209408918
Update spiffe ID patterns used for RBAC
2021-09-14 11:00:03 -06:00
freddygv
0e30151eaa
Expand testing of simplifyNotSourceSlice for partitions
2021-09-14 10:55:15 -06:00
freddygv
a65da57a3d
Expand testing of removeSameSourceIntentions for partitions
2021-09-14 10:55:09 -06:00
freddygv
e9d78a20c7
Account for partition when matching src intentions
2021-09-14 10:55:02 -06:00
Daniel Nephin
44d91ea56f
Add failures_before_warning to checks ( #10969 )
...
Signed-off-by: Jakub Sokołowski <jakub@status.im>
* agent: add failures_before_warning setting
The new setting allows users to specify the number of check failures
that have to happen before a service status us updated to be `warning`.
This allows for more visibility for detected issues without creating
alerts and pinging administrators. Unlike the previous behavior, which
caused the service status to not update until it reached the configured
`failures_before_critical` setting, now Consul updates the Web UI view
with the `warning` state and the output of the service check when
`failures_before_warning` is breached.
The default value of `FailuresBeforeWarning` is the same as the value of
`FailuresBeforeCritical`, which allows for retaining the previous default
behavior of not triggering a warning.
When `FailuresBeforeWarning` is set to a value higher than that of
`FailuresBeforeCritical it has no effect as `FailuresBeforeCritical`
takes precedence.
Resolves: https://github.com/hashicorp/consul/issues/10680
Signed-off-by: Jakub Sokołowski <jakub@status.im>
Co-authored-by: Jakub Sokołowski <jakub@status.im>
2021-09-14 12:47:52 -04:00
Dhia Ayachi
4992218676
convert expiration indexed in ACLToken table to use `indexerSingle` ( #11018 )
...
* move intFromBool to be available for oss
* add expiry indexes
* remove dead code: `TokenExpirationIndex`
* fix remove indexer `TokenExpirationIndex`
* fix rebase issue
2021-09-13 14:37:16 -04:00
Dhia Ayachi
1f23bdf388
add locality indexer partitioning ( #11016 )
...
* convert `Roles` index to use `indexerSingle`
* split authmethod write indexer to oss and ent
* add index locality
* add locality unit tests
* move intFromBool to be available for oss
* use Bool func
* refactor `aclTokenList` to merge func
2021-09-13 11:53:00 -04:00
Dhia Ayachi
3638825db8
convert `indexAuthMethod` index to use `indexerSingle` ( #11014 )
...
* convert `Roles` index to use `indexerSingle`
* fix oss build
* split authmethod write indexer to oss and ent
* add auth method unit tests
2021-09-10 16:56:56 -04:00
Paul Banks
ecbe8f0656
Include namespace and partition in error messages when validating ingress header manip
2021-09-10 21:11:00 +01:00
Paul Banks
e6642c6dae
Refactor HTTPHeaderModifiers.MergeDefaults based on feedback
2021-09-10 21:11:00 +01:00
Paul Banks
a1acb7ec3b
Fix enterprise test failures caused by differences in normalizing EnterpriseMeta
2021-09-10 21:11:00 +01:00
Paul Banks
3484d77b18
Fix enterprise discovery chain tests; Fix multi-level split merging
2021-09-10 21:11:00 +01:00
Paul Banks
e0ad412f1d
Remove unnecessary check
2021-09-10 21:09:24 +01:00
Paul Banks
5c6d27555b
Fix discovery chain test fixtures
2021-09-10 21:09:24 +01:00
Paul Banks
bc1c86df96
Integration tests for all new header manip features
2021-09-10 21:09:24 +01:00
Paul Banks
1dd1683ed9
Header manip for split legs plumbing
2021-09-10 21:09:24 +01:00
Paul Banks
f70f7b2389
Header manip for service-router plumbed through
2021-09-10 21:09:24 +01:00