Commit Graph

14929 Commits

Author SHA1 Message Date
Daniel Nephin c866f1041a
Merge pull request #10793 from hashicorp/dnephin/acl-intentions
acl: small cleanup of a couple Authorization flows
2021-08-05 15:16:49 -04:00
Dhia Ayachi 40baf98159
defer setting the state before returning to avoid stuck in `INITIALIZING` state (#10630)
* defer setting the state before returning to avoid being stuck in `INITIALIZING` state

* add changelog

* move comment with the right if statement

* ca: report state transition error from setSTate

* update comment to reflect state transition

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-05 14:51:19 -04:00
Daniel Nephin 79ab48ef81
Merge pull request #10768 from hashicorp/dnephin/agent-tls-cert-expiration-metric
telemetry: add Agent TLS Certificate expiration metric
2021-08-04 18:42:02 -04:00
Daniel Nephin 0ca9e875e2 acl: remove special handling of services in txn_endpoint
Follow up to: https://github.com/hashicorp/consul/pull/10738#discussion_r680190210

Previously we were passing an Authorizer that would always allow the
operation, then later checking the authorization using vetServiceTxnOp.

On the surface this seemed strange, but I think it was actually masking
a bug as well. Over time `servicePreApply` was changed to add additional
authorization for `service.Proxy.DestinationServiceName`, but because
we were passing a nil Authorizer, that authorization was not handled on
the txn_endpoint.

`TxnServiceOp.FillAuthzContext` has some special handling in enterprise,
so we need to make sure to continue to use that from the Txn endpoint.

This commit removes the `vetServiceTxnOp` function, and passes in the
`FillAuthzContext` function so that `servicePreApply` can be used by
both the catalog and txn endpoints. This should be much less error prone
and prevent bugs like this in the future.
2021-08-04 18:32:20 -04:00
hc-github-team-consul-core ef162f8390 auto-updated agent/uiserver/bindata_assetfs.go from commit bcd53e73a 2021-08-04 22:27:44 +00:00
Kenia 01ec8d1419
ui: Add Vault as a Service External Source (#10769) 2021-08-04 18:22:43 -04:00
Daniel Nephin f6d5a85561 acl: move check for Intention.DestinationName into Authorizer
Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r680134445

Move the check for the Intention.DestinationName into the Authorizer to remove the
need to check what kind of Authorizer is being used.

It sounds like this check is only for legacy ACLs, so is probably just a safeguard
.
2021-08-04 18:06:44 -04:00
Daniel Nephin 3dc113ada6
Merge pull request #10738 from hashicorp/dnephin/remove-authorizer-nil-checks-2
acl: remove the last of the authz == nil checks
2021-08-04 17:41:40 -04:00
Daniel Nephin 2e9aa91256
Merge pull request #10737 from hashicorp/dnephin/remove-authorizer-nil-checks
acl: remove authz == nil checks
2021-08-04 17:39:34 -04:00
trujillo-adam caa7052455
Merge pull request #10763 from hashicorp/docs-proxy-integration-improvements
general language and readability improvements to proxy integration docs
2021-08-04 14:36:47 -07:00
Daniel Nephin de2a55f95a
Merge pull request #10727 from hashicorp/dependabot-configuration
Add initial Dependabot configuration
2021-08-04 17:09:17 -04:00
trujillo-adam 068ec1b607 Applying more feedback from @black and @karl-cardenas-coding 2021-08-04 14:02:42 -07:00
trujillo-adam c412c2811d Applying feedback from @blake 2021-08-04 11:29:21 -07:00
Daniel Nephin 13aa7b70d5 telemetry: fix a couple bugs in cert expiry metrics
1. do not emit the metric if Query fails
2. properly check for PrimaryUsersIntermediate, the logic was inverted

Also improve the logging by including the metric name in the log message
2021-08-04 13:51:44 -04:00
Daniel Nephin 1673b3a68c telemetry: add a metric for agent TLS cert expiry 2021-08-04 13:51:44 -04:00
trujillo-adam df643bb921
Update website/content/docs/connect/proxies/integrate.mdx
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-08-04 10:44:06 -07:00
Dhia Ayachi 6ed6966a1f
fix state index for `CAOpSetRootsAndConfig` op (#10675)
* fix state index for `CAOpSetRootsAndConfig` op

* add changelog

* Update changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* remove the change log as it's not needed

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-08-04 13:07:49 -04:00
hc-github-team-consul-core 4b2ada0dcc auto-updated agent/uiserver/bindata_assetfs.go from commit 8ad1ab9c0 2021-08-04 16:47:13 +00:00
Kenia 1927ada2e7
ui: Fix Health Checks in K/V form Lock Sessions Info section (#10767) 2021-08-04 12:41:41 -04:00
trujillo-adam 0a6ea4e91e general language and readability improvements to proxy integration docs 2021-08-03 15:56:56 -07:00
Evan Culver 57aabe3455
checks: Add Interval and Timeout to API response (#10717) 2021-08-03 15:26:49 -07:00
Daniel Nephin 1e640930b5
Merge pull request #10601 from hashicorp/joshwolfer-patch-1
docs: link to config entries from enable_central_service_config
2021-08-03 16:35:23 -04:00
joshwolfer d53db57558 Update options.mdx
add service config link to description of enable_central_service_config.
2021-08-03 15:36:51 -04:00
Blake Covarrubias 0a95b668d4
docs: Fix service checks docs on session endpoint (#10759)
The ServiceChecks parameter was incorrectly documented in e515c9d44 to
state that it accepted a list of string values, when actually the API
requires an array of ServiceCheck objects.

This commit updates the docs for the parameter to correctly reflect
the fields required by the API.

Resolves #10752
2021-08-03 09:57:31 -07:00
Matt Explosion d1ce78db38 Updated link to repo for native Scala Consul client Helm 2021-08-02 22:01:05 -07:00
Blake Covarrubias 9eb8622061
docs: Note proxy-defaults can globally set service protocol (#10649)
Add a note to the docs for the service defaults config entry which
informs users that the service protocol can be configured for all
services using the proxy defaults config entry.

Resolves #8279

Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-08-02 13:23:58 -07:00
Blake Covarrubias 57e5b06c17
docs: Document supported `consul connect` env vars (#10667)
Document the ability to specify `-sidecar-for` and `-proxy-id` flags
via environment variables.
2021-08-02 12:50:51 -07:00
Blake Covarrubias 4a3e9d4e8b website: Add redirect for /connect/ingress-gateways
Add redirect /docs/connect/ingress-gateways, which currently returns
404, to /docs/connect/gateways/ingress-gateway.

Fixes #10748
2021-08-02 11:58:49 -07:00
Blake Covarrubias 5baa231eb0
docs: Add namespace parameter to additional HTTP endpoints (#10731)
Document the namespace parameter can be specified on HTTP Check,
Connect CA leaf, and Discovery Chain API endpoints.

Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-08-02 11:55:23 -07:00
Blake Covarrubias 98d03e604d docs: Add /v1/agent/host endpoint
Document /v1/agent/host endpoint which is used by `consul debug`.
Originally added in #4754.
2021-08-02 10:29:39 -07:00
Mike Wickett 99f7020c33
chore: upgrade react-consent-manager (#10749) 2021-08-02 12:41:58 -04:00
Daniel Nephin 953c9bee4f acl: Remove the remaining authz == nil checks
These checks were a bit more involved. They were previously skipping some code paths
when the authorizer was nil. After looking through these it seems correct to remove the
authz == nil check, since it will never evaluate to true.
2021-07-30 14:55:35 -04:00
Daniel Nephin e4821a58ee acl: remove acl == nil checks 2021-07-30 14:28:19 -04:00
Daniel Nephin fbaeac9ecf acl: remove authz == nil checks
These case are already impossible conditions, because most of these functions already start
with a check for ACLs being disabled. So the code path being removed could never be reached.

The one other case (ConnectAuthorized) was already changed in a previous commit. This commit
removes an impossible branch because authz == nil can never be true.
2021-07-30 13:58:35 -04:00
Daniel Nephin b6d9d0d9f7 acl: remove many instances of authz == nil 2021-07-30 13:58:35 -04:00
Daniel Nephin bbc05ae869 agent: remove unused agent methods
These methods are no longer used. Remove the methods, and update the
tests to use actual method used by production code.

Also removes the 'authz == nil' check is no longer a possible code path
now that we are returning a non-nil acl.Authorizer when ACLs are disabled.
2021-07-30 13:58:35 -04:00
Daniel Nephin 2503f27a36 acl: remove rule == nil checks 2021-07-30 13:58:35 -04:00
hc-github-team-consul-core 701d4ffef0 auto-updated agent/uiserver/bindata_assetfs.go from commit 2ee501be8 2021-07-30 17:58:27 +00:00
Kenia ec27dfe706
ui: Add copy button for Secret ID in Tokens list page (#10735) 2021-07-30 13:52:37 -04:00
Daniel Nephin 475fec5670
Merge pull request #10632 from hashicorp/pairing/acl-authorizer-when-acl-disabled
acls: Update ACL authorizer to return meaningful permission when ACLs are disabled
2021-07-30 13:22:55 -04:00
Blake Covarrubias 766b64eac2
api: Support QueryOptions on additional agent endpoints (#10691)
Add support for setting QueryOptions on the following agent API endpoints:

- /agent/health/service/name/:name
- /agent/health/service/id/:id
- /agent/service/maintenance/:id

This follows the same pattern used in #9903 to support query options
for other agent API endpoints.

Resolves #9710
2021-07-30 10:07:13 -07:00
Evan Culver da96c645b2 Fix api/agent test 2021-07-30 12:58:46 -04:00
Evan Culver 53465764df Fix maint test 2021-07-30 12:58:46 -04:00
Evan Culver b628f6235d Fix api/agent test 2021-07-30 12:58:46 -04:00
Evan Culver 241b6429c3 Fix intention endpoint test 2021-07-30 12:58:45 -04:00
Daniel Nephin 9b41e7287f acl: use acl.ManangeAll when ACLs are disabled
Instead of returning nil and checking for nilness

Removes a bunch of nil checks, and fixes one test failures.
2021-07-30 12:58:24 -04:00
Blake Covarrubias 58bc20cc88 Add changelog 2021-07-30 09:58:11 -07:00
Blake Covarrubias f97e843c61 Add OSS changes for specifying audit log permission mode 2021-07-30 09:58:11 -07:00
Kent 'picat' Gruber 05fb8dd192 Add `github-actions` 2021-07-29 17:51:32 -04:00
Kent 'picat' Gruber 2a1fb53f68 Add default `open-pull-requests-limit` for all updates
Using the default value just to start with.
2021-07-29 17:47:33 -04:00