Commit Graph

15703 Commits

Author SHA1 Message Date
John Cowen e5e65b71ad
ui: Only show partition / partition selector if enabled (#11484)
I missed that partitions should never display if you can't use them, not just if you can't choose them.
2021-11-04 12:14:43 +00:00
John Cowen 599e8a05d3
ui: Ensure we check intention service prefix permissions for per service (#11409)
Port of: Ensure we check intention service prefix permissions for per service (#11270)

Previously, when showing some action buttons for 'per service intentions' we used a global 'can I do something with any intention' permission to decide whether to show a certain button or not. If a user has a token that does not have 'global' intention permissions, but does have intention permissions on one or more specific services (for example via service / service_prefix), this meant that we did not show them certain buttons required to create/edit the intentions for this specific service.

This PR adds that extra permissions check so we now check the intentions permissions per service instead of using the 'global' "can I edit intentions" question/request.

**Notes:**

- If a HTML button is `disabled` this means tippy.js doesn't adopt the
popover properly and subsequently hide it from the user, so aswell as
just disabling the button so you can't active the popover, we also don't
even put the popover on the page
- If `ability.item` or `ability.item.Resources` are empty then assume no access

**We don't try to disable service > right hand side intention actions here**

Whether you can create intentions for a service depends on the
_destination_ of the intention you would like to create. For the
topology view going from the LHS to the center, this is straightforwards
as we only need to know the permissions for the central service, as when
you are going from the LHS to the center, the center is the
_destination_.

When going from the center to the RHS the _destination[s]_ are on the
RHS. This means we need to know the permissions for potentially 1000s of
services all in one go in order to know when to show a button or not.

We can't realistically discover the permissions for service > RHS
services as we'd have either make a HTTP request per right hand service,
or potentially make an incredibly large POST request for all the
potentially 1000s of services on the right hand side (more preferable to
1000s of HTTP requests).

Therefore for the moment at least we keep the old functionality (thin client)
for the middle to RHS here. If you do go to click on the button and you
don't have permissions to update the intention you will still not be
able to update it, only you won't know this until you click the button
(at which point you'll get a UI visible 403 error)

Note: We reversed the conditional here between 1.10 and 1.11

So this make 100% sense that the port is different here to 1.11
2021-11-04 12:10:28 +00:00
David Yu a96a035973
docs: consul-k8s uninstall with namespace (#11478)
* docs:  consul-k8s uninstall with namespace

Uninstall with namespace

* change release name to consul in uninstall

* Update website/content/docs/k8s/operations/uninstall.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* add --create-namespace command to install for custom values file

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2021-11-03 16:48:48 -07:00
Kevin Wang c5ecafdfde
chore: react-subnav (#11486) 2021-11-03 17:05:12 -04:00
Daniel Nephin 7a9d936a70
Merge pull request #10822 from hashicorp/krarey/patch-replication-policy
Update namespaced replication token example
2021-11-03 15:40:36 -04:00
Kyle Rarey 37e051ed36 Update namespaced replication token example 2021-11-03 15:33:30 -04:00
FFMMM e7ffef54ee
fix aws pca certs (#11470)
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-11-03 12:21:24 -07:00
Thomas Eckert 4789e3a4d0
Update Helm Docs for v0.36.0 Consul K8s release (#11483)
Co-authored-by: David Yu <dyu@hashicorp.com>
2021-11-03 10:04:16 -07:00
Luke Kysow 0f8434a213
Add quick-link for users coming from UI (#11403)
The Consul UI topology view has an icon with the text
"Configure metrics dashboard" that links to this page. Add a notice at
the top of the page that links them directly to the relevant section.
2021-11-03 09:37:30 -07:00
Luke Kysow 56fd7e050a
Use "Open dashboard" everywhere (#11406)
Previously we had "Open metrics Dashboard" and "Configure metrics
dashboard" in the topology cards and then we had "Open Dashboard" in the
top nav when the dashboard was configured.

Now we use "Open dashboard" and "Configure dashboard".

This change was made for consistency in wording and casing. In addition,
the dashboard could be used for metrics but also other dashboards so
there's no need to scope it only to metrics. Also the config is:

```hcl
ui_config {
  dashboard_url_templates
}
```

Which does not mention metrics
2021-11-03 09:29:50 -07:00
Mathew Estafanous 508664440d
Convert (some) test endpoints to use ServeHTTP instead of direct calls to handlers. (#11445) 2021-11-03 11:12:36 -04:00
trujillo-adam 52086937b9
Merge pull request #11307 from hashicorp/docs/admin-partitions-cli-v1.11.0
admin partition docs part 1 - cli
2021-11-02 14:44:43 -07:00
Luke Kysow 6131a207cf
Remove Name/Namespace fields from upstream default (#11456)
The UpstreamConfig.Defaults field does not support setting Name or
Namespace because the purpose is to apply defaults to all upstreams.
I think this was just missed in the docs since those fields would
error if set under Defaults.

i.e. this is not supported:

```
UpstreamConfig {
  Defaults {
    Name = "foo"
    Namespace = "bar"
    # Defaults config here
  }
}
```
2021-11-02 14:21:15 -07:00
FFMMM 27227c0fd2
add root_cert_ttl option for consul connect, vault ca providers (#11428)
* add root_cert_ttl option for consul connect, vault ca providers

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* add changelog, pr feedback

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* Update .changelog/11428.txt, more docs

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update website/content/docs/agent/options.mdx

Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
2021-11-02 11:02:10 -07:00
Daniel Nephin 0ec2a804df
Merge pull request #10690 from tarat44/h2c-support-in-ping-checks
add support for h2c in h2 ping health checks
2021-11-02 13:53:06 -04:00
Freddy a31d65b914
Prevent running build workflows on all PRs (#11469) 2021-11-01 17:29:45 -06:00
Daniel Nephin 00ed2b243f
Merge pull request #10771 from hashicorp/dnephin/emit-telemetry-metrics-immediately
telemetry: improve cert expiry metrics
2021-11-01 18:31:03 -04:00
Freddy 80e2aef31c
Merge pull request #11450 from hashicorp/ap/best-addr
Ensure calls to BestAddress consider partition
2021-11-01 15:44:41 -06:00
freddygv ecccf22fd7 Exclude default partition from GatewayKey string
This will behave the way we handle SNI and SPIFFE IDs, where the default
partition is excluded.

Excluding the default ensures that don't attempt to compare default.dc2
to dc2 in OSS.
2021-11-01 14:45:52 -06:00
freddygv d944e6ae3a Update GatewayKeys deduplication
Federation states data is only keyed on datacenter, so it cannot be
directly compared against keys for gateway groups.
2021-11-01 13:58:53 -06:00
freddygv ce43e8cf99 Store GatewayKey in proxycfg snapshot for re-use 2021-11-01 13:58:53 -06:00
freddygv 51c888a41a Update locality check in xds 2021-11-01 13:58:53 -06:00
freddygv 6657c88296 Update locality check in proxycfg 2021-11-01 13:58:53 -06:00
Peter M 632904ff41
adding K8s page to subnav (#11467)
* adding K8s page to subnav

per request from HLT, updating use case tab to lead to K8s page instead of service mesh.

* Update subnav.js
2021-11-01 12:41:55 -07:00
Melissa Kam 36ebca63ed
Merge pull request #11466 from hashicorp/cts-tls-typo
docs/nia: Fix typo in TLS configs for CTS
2021-11-01 14:23:15 -05:00
Melissa Kam f7297a712d docs/nia: Fix typo in TLS configs for CTS 2021-11-01 14:03:19 -05:00
Daniel Nephin c706bf135c
Merge pull request #11340 from hashicorp/dnephin/ca-manager-provider
ca: split the Provider interface into Primary/Secondary
2021-11-01 14:11:15 -04:00
Daniel Nephin eaaceedf31
Merge pull request #11338 from hashicorp/dnephin/ca-manager-isolate-secondary
ca: clearly identify methods that are primary-only or secondary-only
2021-11-01 14:10:31 -04:00
99 411e59c440
Merge pull request #11417 from hashicorp/crt-migration-1.11.0-betax
Crt migration 1.11.0 betax
2021-11-01 11:02:55 -07:00
Melissa Kam 89c89657d5
Merge pull request #11463 from hashicorp/docs-cts-tls
docs/nia: Update TLS-related configurations for CTS
2021-11-01 12:39:39 -05:00
Daniel Upton a620b6be2e
Support Check-And-Set deletion of config entries (#11419)
Implements #11372
2021-11-01 16:42:01 +00:00
trujillo-adam 2bcd5c42b9
Merge pull request #11441 from hashicorp/docs/admin-partitions-feedback-acl-policies
admin partitions feedback related to ACLs; additional improvements to ACL rule docs
2021-11-01 09:09:38 -07:00
trujillo-adam 5050867956
Update website/content/docs/security/acl/acl-rules.mdx
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
2021-11-01 09:07:08 -07:00
Melissa Kam afac305b54 docs/nia: Update TLS-related configurations for CTS
- Clarify file types and uses of the configurations
- Update some wording to match between Consul and TFE TLS configs
2021-11-01 10:44:14 -05:00
Dhia Ayachi 4d763ef9e6
regenerate expired certs (#11462)
* regenerate expired certs

* add documentation to generate tests certificates
2021-11-01 11:40:16 -04:00
trujillo-adam c68b3491c7
Apply suggestions from code review
fixed typos

Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-11-01 08:08:04 -07:00
Jared Kirschner 6dfcbeceec
Merge pull request #11348 from kbabuadze/fix-answers-alt-domain
Fix answers for alt domain
2021-10-29 17:09:20 -04:00
David Yu 571cff9dc9
docs: add -verbose flag for install command (#11447) 2021-10-29 12:08:23 -07:00
99 324fa75d25 PR fixes 2021-10-28 22:22:38 -07:00
R.B. Boyer 2353d59413
cli: update consul members output to display partitions and sort the results usefully (#11446) 2021-10-28 17:27:31 -05:00
R.B. Boyer d40d098321
agent: for various /v1/agent endpoints parse the partition parameter on the request (#11444)
Also update the corresponding CLI commands to send the parameter
appropriately.

NOTE: Behavioral changes are not happening in this PR.
2021-10-28 16:44:38 -05:00
R.B. Boyer 017e9d5ae4
agent: add a clone function for duplicating the serf lan configuration (#11443) 2021-10-28 16:11:26 -05:00
Mark Anderson a749a41d07
Fix back compat issues with UDS config (#11318)
SocketPath needs to be omitted when empty to avoid confusing older versions of Consul

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2021-10-28 13:31:10 -07:00
David Yu c3a1895f2e
docs: revised Helm install to create namespace and install on dedicated namespace (#11440)
* docs: revised Helm install to create namespace and install on dedicated Consul namespace

* Update website/content/docs/k8s/installation/install.mdx

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>

* Update install.mdx

* changing to Helm 3.2+ as a pre-req to make it easier to follow
* might as well bump to latest version

Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
2021-10-28 12:27:00 -07:00
Daniel Nephin a8d6392ab5 Add tests for cert expiry metrics 2021-10-28 14:38:57 -04:00
trujillo-adam e70cff6ee8 applying admin partitions feedback related to ACLs; additional immprovments to ACL rule docs 2021-10-28 11:23:15 -07:00
99 daf4208341
Update .github/workflows/build.yml
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-10-28 11:07:55 -07:00
Daniel Nephin 503dee2d80
Merge pull request #10671 from hashicorp/dnephin/fix-subscribe-test-flake
subscribe: improve TestSubscribeBackend_IntegrationWithServer_DeliversAllMessages
2021-10-28 12:57:09 -04:00
Daniel Nephin b02b324c9d
Merge pull request #11255 from hashicorp/dnephin/fix-auth-verify-incoming
tlsutil: only AuthorizerServerConn when VerifyIncomingRPC is true
2021-10-28 12:56:58 -04:00
sidzi ec65c6b3c5
Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00