This adds acl enforcement to the two endpoints that were missing it.
Note that in the case of getting a services health by its id, we still
must first lookup the service so we still "leak" information about a
service with that ID existing. There isn't really a way around it though
as ACLs are meant to check service names.
Previous to 1.7 splitter names didn't include the namespace name
i.e. 'service-name'
as of 1.7 they now include the namespace
i.e. 'service-name.namespace'
This commit take account of that
* Updates to the Txn API for namespaces
* Update agent/consul/txn_endpoint.go
Co-Authored-By: R.B. Boyer <rb@hashicorp.com>
Co-authored-by: R.B. Boyer <public@richardboyer.net>
* ui: Discovery-Chain: Cope with redirects that have failovers
We found a few stranger configurations for discovery-chain, one of which
was redirects that can then failover.
We altered the parsing here to include 2 passes, one to organize the
nodes into resolvers and children/subsets based on the nodes themselves, which
includes adding the failovers to resolvers and subsets.
We then do a second pass which can more reliably figure out whether a
target is a redirect or a failover (target failovers don't have a
corresponding node), this then adds the redirect children to the already
exising resolver (from the first pass) and then checks if the redirect
also has failovers and adds those if so.
* ui: Check to see if we have a user configured default route or not
...if we don't add one so the visualization looks complete
* ui: Enable blocking queries/live updates for intentions
* ui: Add acceptance tests for intention blocking queries
* ui: Add copy to explain that intentions are also now 'real time'
In an ember environment `config/environment.js` exports a JSON object
whereas the file itself exports a function that receives a string of the
environment name that would like returning.
This is so ember can automatically provide you with an already
configured object containing configuration values dependent on which
environment you passed to `ember-cli` using `serve`, `build` or `test`.
In order to bypass this so we can easily test what is returned for
different environments, we've installed a lightweight functional test
harness that is simple to use `substack/tape`, that can be run easily
outside of ember.
We've then written as simple test case using this to enable us to
test/assert that different environments return the correct configuration
values.
Additionally we've added some yarn scripts/make targets (yarn run
test-node / make test-node) to make this easy to run. We're yet to
integrate this into CI.
This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file.
This allows us to define API client TLS options per Consul secret backend in Vault.
Related issue hashicorp/vault#4800
When editing Nspaces, although you can assign policies to a nspace using
PolicyDefaults you cannot assign a Service Identity to a policy like you
can when adding a policy to a token.
This commit adds an extra attribute to our policy-form/policy-selector
component so you can disable this setting. At a later date we may change
this to have a conficgurable `<Slot />` instead.
Simple acceptance tests is included here
This commit changes the health check example shown for the
success/failures_before_passing option to correctly show that the value
of `checks` is an array of objects, not an object.
Added text clarifying these check parameters are available in Consul
1.7.0 and later.
Expanded the health check to provide a more complete configuration
example.
Resolves#7114.
* Unflake the TestAPI_AgentConnectCALeaf test
* Modify the WaitForActiveCARoot to actually verify that at least one root exists
Also verify that the active root id field is set
Alexandru Matei