99ead8324f
agent: alias checks have no interval
2018-07-12 09:36:11 -07:00
b12d8ae179
agent/structs: check is alias if node is empty
2018-07-12 09:36:11 -07:00
00d95f9214
agent/checks: support node-only checks
2018-07-12 09:36:11 -07:00
275d2b929a
agent/checks: set critical if RPC fails
2018-07-12 09:36:11 -07:00
175e74972d
agent/checks: use local state for local services
2018-07-12 09:36:11 -07:00
3177d1719d
agent/local: support local alias checks
2018-07-12 09:36:10 -07:00
75ea0a1ee7
agent: run alias checks
2018-07-12 09:36:10 -07:00
0c4cd2df01
agent/checks: reflect node failure as alias check failure
2018-07-12 09:36:10 -07:00
3cbdade3b8
agent/config: support configuring alias check
2018-07-12 09:36:10 -07:00
10d68ec56f
agent/checks: add Alias check type
2018-07-12 09:36:09 -07:00
ba67087e3c
Release v1.2.1
2018-07-12 16:33:56 +00:00
cc46d59269
Merge pull request #4379 from hashicorp/persist-intermediates
...
connect: persist intermediate CAs on leader change
2018-07-12 12:09:13 -04:00
6fe7faa554
Merge pull request #4381 from hashicorp/proxy-check-default
...
Proxy check default
2018-07-12 17:08:35 +01:00
965fc9cf62
Revert "Allow changing Node names since Node now have IDs"
2018-07-12 11:19:21 -04:00
d8a4d9137b
Fixup formatting
2018-07-12 10:14:26 -04:00
d63c5807cf
Revert PR 4294 - Catalog Register: Generate UUID for services registered without one
...
UUID auto-generation here causes trouble in a few cases. The biggest being older
nodes reregistering will fail when the UUIDs are different and the names match
This reverts commit 0f700340828f464449c2e0d5a82db0bc5456d385.
This reverts commit d1a8f9cb3f6f48dd9c8d0bc858031ff6ccff51d0.
This reverts commit cf69ec42a418ab6594a6654e9545e12160f30970.
2018-07-12 10:06:50 -04:00
0a365b1a4f
Merge pull request #4374 from hashicorp/feature/proxy-env-vars
...
Setup managed proxy environment with API client env vars
2018-07-12 09:13:54 -04:00
8b54b87599
Update proxy config docs and add test for ipv6
2018-07-12 13:07:48 +01:00
9223102331
Default managed proxy TCP check address sanely when proxy is bound to 0.0.0.0.
...
This also provides a mechanism to configure custom address or disable the check entirely from managed proxy config.
2018-07-12 12:57:10 +01:00
eccadda019
Set api.Config’s InsecureSkipVerify to the value of !RuntimeConfig.VerifyOutgoing
2018-07-12 07:49:23 -04:00
240e2affcd
Use type switch instead of .Network for more reliably detecting UnixAddrs
2018-07-12 07:30:17 -04:00
09ff064bc7
Look specifically for tcp instead of unix
...
Add runtime -> api.Config tests
2018-07-11 17:25:36 -04:00
ebf3319211
Update proxy manager test - test passing ProxyEnv vars
2018-07-11 16:50:27 -04:00
2a40f93ac8
connect: use reflect.DeepEqual instead for test
2018-07-11 13:10:58 -07:00
42729d5aff
Merge pull request #3983 from pierresouchay/node_renaming
...
Allow changing Node names since Node now have IDs
2018-07-11 16:03:02 -04:00
f9a35a9338
connect: add provider state to snapshots
2018-07-11 11:34:49 -07:00
9c21cc7ac9
connect: update leader initializeCA comment
2018-07-11 10:00:42 -07:00
db254f0991
connect: persist intermediate CAs on leader change
2018-07-11 09:44:30 -07:00
1e5e9fd8cd
PR Updates
...
Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config.
2018-07-11 09:44:54 -04:00
bda7cb1448
Merge pull request #4371 from hashicorp/bugfix/gh-4358
...
Remove https://prefix from TLSConfig.Address
2018-07-11 08:50:10 -04:00
3d0a960470
When renaming a node, ensure the name is not taken by another node.
...
Since DNS is case insensitive and DB as issues when similar names with different
cases are added, check for unicity based on case insensitivity.
Following another big incident we had in our cluster, we also validate
that adding/renaming a not does not conflicts with case insensitive
matches.
We had the following error once:
- one node called: mymachine.MYDC.mydomain was shut off
- another node (different ID) was added with name: mymachine.mydc.mydomain before
72 hours
When restarting the consul server of domain, the consul server restarted failed
to start since it detected an issue in RAFT database because
mymachine.MYDC.mydomain and mymachine.mydc.mydomain had the same names.
Checking at registration time with case insensitivity should definitly fix
those issues and avoid Consul DB corruption.
2018-07-11 14:42:54 +02:00
a124512ce3
Merge pull request #4365 from pierresouchay/fix_test_warning
...
Fixed compilation warning about wrong type
2018-07-10 16:53:29 -04:00
358e6c8f6a
Pass around an API Config object and convert to env vars for the managed proxy
2018-07-10 12:13:51 -04:00
988acfdc67
Use %q, not %s as it used to
2018-07-10 16:52:08 +02:00
86ce52d0d3
Merge remote-tracking branch 'origin/master' into bugfix/prevent-multi-cname
2018-07-10 10:26:45 -04:00
22c5951ec4
Merge pull request #4303 from pierresouchay/non_blocking_acl
...
Only send one single ACL cache refresh across network when TTL is over
2018-07-10 08:57:33 -04:00
2762586b0e
Merge pull request #4362 from hashicorp/bugfix/gh-4354
...
Ensure TXT RRs always end up in the Additional section except for ANY or TXT queries
2018-07-10 08:50:31 -04:00
455d8fbea6
Fixed compilation warning about wrong type
...
It fixes the following warnings:
agent/config/builder.go:1201: Errorf format %q has arg s of wrong type *string
agent/config/builder.go:1240: Errorf format %q has arg s of wrong type *string
2018-07-09 23:43:56 +02:00
dae66b1afc
Merge pull request #4038 from pierresouchay/ACL_additional_info
...
Track calls blocked by ACLs using metrics
2018-07-09 20:21:21 +01:00
9bc5fe7fe5
Tests/Proxy : Changed function name to match the system being tested.
2018-07-09 13:18:57 -04:00
3a00c5a834
Resolved merge conflicts
2018-07-09 12:48:34 -04:00
0b50b84429
Agent/Proxy: Formatting and test cases fix
2018-07-09 12:46:10 -04:00
115893b7d8
Remove https://prefix from TLSConfig.Address
2018-07-09 12:31:15 -04:00
a26deb44cf
Ensure TXT RRs always end up in the Additional section except for ANY or TXT queries
...
This also changes where the enforcement of the enable_additional_node_meta_txt configuration gets applied.
formatNodeRecord returns the main RRs and the meta/TXT RRs in separate slices. Its then up to the caller to add to the appropriate sections or not.
2018-07-09 12:30:11 -04:00
f0af60612c
Proxy/Tests: Added test cases to check env variables
2018-07-09 12:28:29 -04:00
4a8814ea01
Agent/Proxy : Properly passes env variables to child
2018-07-09 12:28:29 -04:00
9128de5b11
Merge remote-tracking branch 'origin/master' into ACL_additional_info
2018-07-07 14:09:18 +02:00
135ac85b21
Fixed indentation in test
2018-07-07 14:03:34 +02:00
883b2a518a
Store the time CARoot is rotated out instead of when to prune
2018-07-06 16:05:25 -07:00
e79f630adf
Agent/Proxy : Properly passes env variables to child
2018-07-05 22:04:29 -04:00
e9390fb5c7
Refactor to make this much less confusing
2018-07-03 11:04:19 -04:00
4d1bdd8fdb
Add a bunch of comments about preventing multi-cname
...
Hopefully this a bit clearer as to the reasoning
2018-07-03 10:32:52 -04:00
22cc44877d
Fix some edge cases and add some tests.
2018-07-02 16:58:52 -04:00
e3859b4f04
Only allow 1 CNAME when querying for a service.
...
This just makes sure that if multiple services are registered with unique service addresses that we don’t blast back multiple CNAMEs for the same service DNS name and keeps us within the DNS specs.
2018-07-02 16:12:06 -04:00
3c520019e9
connect/ca: add logic for pruning old stale RootCA entries
2018-07-02 10:35:05 -07:00
ad40be86d5
Merge pull request #4315 from hashicorp/bugfix/fix-server-enterprise
...
Move starting enterprise functionality
2018-07-02 12:28:10 -04:00
95a0ab9f99
Updated swith case to use same branch for async-cache and extend-cache
2018-07-02 17:39:34 +02:00
6dfbbf1350
Updated documentation and adding more test case for async-cache
2018-07-01 23:50:30 +02:00
382bec0897
Added async-cache with similar behaviour as extend-cache but asynchronously
2018-07-01 23:50:30 +02:00
da9c91fd3d
Only send one single ACL cache refresh across network when TTL is over
...
It will allow the following:
* when connectivity is limited (saturated linnks between DCs), only one
single request to refresh an ACL will be sent to ACL master DC instead
of statcking ACL refresh queries
* when extend-cache is used for ACL, do not wait for result, but refresh
the ACL asynchronously, so no delay is not impacting slave DC
* When extend-cache is not used, keep the existing blocking mechanism,
but only send a single refresh request.
This will fix https://github.com/hashicorp/consul/issues/3524
2018-07-01 23:50:30 +02:00
37377d8779
Change bind_port to an int
2018-06-30 14:18:13 +01:00
02719c52ff
Move starting enterprise functionality
2018-06-29 17:38:29 -04:00
f213c55723
agent/config: parse upstreams with multiple service definitions
2018-06-28 15:13:33 -05:00
b6969b336b
Merge pull request #4297 from hashicorp/b-intention-500-2
...
agent: 400 error on invalid UUID format, api handles errors properly
2018-06-28 05:27:19 +02:00
66af873639
Move default uuid test into the consul package
2018-06-27 09:21:58 -04:00
dbc407cec9
go fmt changes
2018-06-27 09:07:22 -04:00
03b683f702
agent: 400 error on invalid UUID format, api handles errors properly
2018-06-27 07:40:06 +02:00
95291ec5ed
Make sure to generate UUIDs when services are registered without one
...
This makes the behavior line up with the docs and expected behavior
2018-06-26 17:04:08 -04:00
f8355d608a
Release v1.2.0
2018-06-25 19:45:20 +00:00
1da3c42867
Merge remote-tracking branch 'connect/f-connect'
2018-06-25 19:42:51 +00:00
d436463d75
revert go changes to hide rotation config
2018-06-25 12:26:18 -07:00
837f23441d
connect/ca: hide the RotationPeriod config field since it isn't used yet
2018-06-25 12:26:18 -07:00
54ad6fc050
agent: convert the proxy bind_port to int if it is a float
2018-06-25 12:26:18 -07:00
b3ba709b3d
Remove x509 name constraints
...
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
8b27c3268a
Make sure we omit the Kind value in JSON if empty
2018-06-25 12:26:10 -07:00
0c43a0f448
update UI to latest
2018-06-25 12:25:42 -07:00
859eaea5c4
connect/ca: pull the cluster ID from config during a rotation
2018-06-25 12:25:42 -07:00
a67bfa2c1b
connect/ca: use weak type decoding in the Vault config parsing
2018-06-25 12:25:42 -07:00
fcc5dc6110
connect/ca: leave blank root key/cert out of the default config (unnecessary)
2018-06-25 12:25:42 -07:00
f3089a6647
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
f79e3e3fa5
connect/ca: add leaf verify check to cross-signing tests
2018-06-25 12:25:41 -07:00
cea94d0bcf
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
675555c4ff
connect/ca: update Vault provider to add cross-signing methods
2018-06-25 12:25:41 -07:00
a97c44c1ba
connect/ca: add URI SAN support to the Vault provider
2018-06-25 12:25:41 -07:00
7b0845ccde
connect/ca: fix vault provider URI SANs and test
2018-06-25 12:25:41 -07:00
a98b85b25c
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
6ecc0c8099
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
b4fbeb0453
Note leadership issues in comments
2018-06-25 12:25:41 -07:00
21fb98ad5a
Fix test broken by final telemetry PR change!
2018-06-25 12:25:40 -07:00
824a9b4943
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
cbf31a467f
Output the service Kind in the /v1/internal/ui/services endpoint
2018-06-25 12:25:40 -07:00
1d6e1ace11
register TCP check for managed proxies
2018-06-25 12:25:40 -07:00
d1810ba338
Make proxy only listen after initial certs are fetched
2018-06-25 12:25:40 -07:00
42e28fa4d1
Limit proxy telemetry config to only be visible with authenticated with a proxy token
2018-06-25 12:25:39 -07:00
ba6e909ed7
Misc test fixes
2018-06-25 12:25:39 -07:00
ca68136ac7
Refactor to use embedded struct.
2018-06-25 12:25:39 -07:00
6deadef6bd
Revert telemetry config changes ready for cleaner approach
2018-06-25 12:25:39 -07:00
fd3681f35b
Allow user override of proxy telemetry config
2018-06-25 12:25:38 -07:00
ff162ffdde
Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about
2018-06-25 12:25:38 -07:00
ced9b2bee4
Expose telemetry config from RuntimeConfig to proxy config endpoint
2018-06-25 12:25:38 -07:00
Mitchell Hashimoto