Commit Graph

12086 Commits

Author SHA1 Message Date
R.B. Boyer efd8f562a2 update changelog 2020-05-11 21:00:26 -05:00
R.B. Boyer 940e5ad160
acl: add auth method for JWTs (#7846) 2020-05-11 20:59:29 -05:00
Daniel Nephin 801bfb9477 ci: debugging for golangci-lint download failing
We've seen a few CI runs fail with "exit status 52". This will hopefully give us more detail about what is failing.
2020-05-11 19:54:18 -04:00
Kit Patella 24175e2925
Merge pull request #7843 from hashicorp/oss-sync/auditing-config
agent/config: Fix tests & include Audit struct as a pointer on Config
2020-05-11 14:23:44 -07:00
Kit Patella a4ee78440b agent/config: include Audit struct as a pointer on Config, fix tests 2020-05-11 14:13:05 -07:00
Kit Patella a45b67b40f
Merge pull request #7841 from hashicorp/oss-sync/auditing-config
OSS sync - Auditing config
2020-05-11 13:44:38 -07:00
Kit Patella f82a97f8c8 agent/config: add auditing config to OSS and add to enterpriseConfigMap exclusions 2020-05-11 13:27:35 -07:00
Preetha Appan f3ee8d4777 Add Beta super script to page title
also moves version availability to below feature title
2020-05-11 14:59:17 -05:00
Chris Piraino 1173b31949
Return early from updateGatewayServices if nothing to update (#7838)
* Return early from updateGatewayServices if nothing to update

Previously, we returned an empty slice of gatewayServices, which caused
us to accidentally delete everything in the memdb table

* PR comment and better formatting
2020-05-11 14:46:48 -05:00
Chris Piraino 1a7c99cf31
Fix TestInternal_GatewayServiceDump_Ingress (#7840)
Protocol was added as a field on GatewayServices after
GatewayServiceDump PR branch was created.
2020-05-11 14:46:31 -05:00
R.B. Boyer c54211ad52
cli: ensure 'acl auth-method update' doesn't deep merge the Config field (#7839) 2020-05-11 14:21:17 -05:00
Chris Piraino 107c7a9ca7 PR comment and better formatting 2020-05-11 14:04:59 -05:00
Iryna Shustava 97bca3476e
docs: add docs for configuring ACLs with external servers (#7802) 2020-05-11 11:26:10 -07:00
Chris Piraino 9f924400e0 Return early from updateGatewayServices if nothing to update
Previously, we returned an empty slice of gatewayServices, which caused
us to accidentally delete everything in the memdb table
2020-05-11 12:38:04 -05:00
Freddy ebbb234ecb
Gateway Services Nodes UI Endpoint (#7685)
The endpoint supports queries for both Ingress Gateways and Terminating Gateways. Used to display a gateway's linked services in the UI.
2020-05-11 11:35:17 -06:00
Kyle Havlovitz 28b4819882
Merge pull request #7759 from hashicorp/ingress/tls-hosts
Add TLS option for Ingress Gateway listeners
2020-05-11 09:18:43 -07:00
Kyle Havlovitz dc1112eaf8 Disallow the blanket wildcard prefix from being used as custom host 2020-05-08 20:24:18 -07:00
Chris Piraino 3931015a90 Remove development log line 2020-05-08 20:24:18 -07:00
Chris Piraino 29afac01c8 Set default protocol to http in TLS integration test 2020-05-08 20:23:23 -07:00
Chris Piraino a500262a77 Compute all valid DNSSANs for ingress gateways
For DNSSANs we take into account the following and compute the
appropriate wildcard values:
- source datacenter
- namespaces
- alt domains
2020-05-08 20:23:17 -07:00
Preetha Appan 40c67ee0cc Add beta superscript to docs title for wan federation over mesh gateways 2020-05-08 18:25:41 -05:00
Preetha Appan f4bba1d204 Redo PR #7430 for new website
Still has todos and diagrams to be added
2020-05-08 18:07:45 -05:00
Daniel Nephin a8adcf2a96
Merge pull request #7713 from hashicorp/dnephin/connect-proxy-passive-healthcheck
xds: Add passive health check config for upstreams (aka envoy outlier detection)
2020-05-08 15:48:50 -04:00
Daniel Nephin ce3aeb85f5 Add outlier_detection check to integration test
Fix decoding of time.Duration types.
2020-05-08 14:56:57 -04:00
Daniel Nephin 987875524a xds: Add passive health check config for upstreams 2020-05-08 14:56:57 -04:00
Chris Piraino a635e23f86
Restoring config entries updates the gateway-services table (#7811)
- Adds a new validateConfigEntryEnterprise function
- Also fixes some state store tests that were failing in enterprise
2020-05-08 13:24:33 -05:00
Daniel Nephin c2499418ed test: Remove t.Parallel() from agent/structs tests
go test will only run tests in parallel within a single package. In this case the package test run time is exactly the same with or without t.Parallel() (~0.7s).

In generally we should avoid t.Parallel() as it causes a number of problems with `go test` not reporting failure messages correctly. I encountered one of these problems, which is what prompted this change.  Since `t.Parallel` is not providing any benefit in this package, this commit removes it.

The change was automated with:

    git grep -l 't.Parallel' | xargs sed -i -e '/t.Parallel/d'
2020-05-08 14:06:10 -04:00
Freddy a37d7a42c9
Fix up enterprise compatibility for gateways (#7813) 2020-05-08 09:44:34 -06:00
Jono Sosulska 44011c81f2
Fix spelling of deregister (#7804) 2020-05-08 10:03:45 -04:00
Denislav Denov 7d9ac06f83
Merge pull request #7815 from hashicorp/denislavdenov-patch-1
Update license.mdx
2020-05-08 16:04:39 +03:00
Denislav Denov 3932b5b907
Update website/pages/docs/commands/license.mdx
Co-authored-by: danielehc <40759828+danielehc@users.noreply.github.com>
2020-05-08 15:51:52 +03:00
Denislav Denov aa5527303b
Update license.mdx
Hello team,

I noticed that the reset part of the consul license command was missing in the documentation so I added it and created this PR.
2020-05-08 11:13:41 +03:00
R.B. Boyer bf70ad1802
cli: oss refactors to support making the auth method CLI aware of namespace rules in enterprise (#7812) 2020-05-07 17:08:42 -05:00
Chris Piraino 2d657c3c0f
Allow ingress gateways to send empty clusters, routes, and listeners (#7795)
This is useful when updating an config entry with no services, and the
expected behavior is that envoy closes all listeners and clusters.

We also allow empty routes because ingress gateways name route
configurations based on the port of the listener, so it is important we
remove any stale routes. Then, if a new listener with an old port is
added, we will not have to deal with stale routes hanging around routing
to the wrong place.

Endpoints are associated with clusters, and thus by deleting the
clusters we don't have to care about sending empty endpoint responses.
2020-05-07 16:19:25 -05:00
Chris Piraino 964e55e45e Cleanup proxycfg for TLS
- Use correct enterprise metadata for finding config entry
- nil out cancel functions on config snapshot copy
- Look at HostsSet when checking validity
2020-05-07 10:22:57 -05:00
Jeff Escalante 55e5c1b9ef add alert banner to website 2020-05-06 20:06:39 -04:00
Chris Piraino ad8a0544f2
Require individual services in ingress entry to match protocols (#7774)
We require any non-wildcard services to match the protocol defined in
the listener on write, so that we can maintain a consistent experience
through ingress gateways. This also helps guard against accidental
misconfiguration by a user.

- Update tests that require an updated protocol for ingress gateways
2020-05-06 16:09:24 -05:00
Freddy a749f46316
Remove timeout and call to Fatal from goroutine (#7797) 2020-05-06 14:33:17 -06:00
R.B. Boyer 65af2a323c update changelog 2020-05-06 15:32:27 -05:00
R.B. Boyer 095f0503e8
test: make auth method cli crud test work in both oss and ent (#7800) 2020-05-06 15:16:50 -05:00
Kyle Havlovitz a198282349 Add a check for custom host to ingress TLS integration test 2020-05-06 15:12:02 -05:00
Chris Piraino bebf1d5df9 Add TLS field to ingress API structs
- Adds test in api and command/config/write packages
2020-05-06 15:12:02 -05:00
Chris Piraino 2a10984efb Add test for adding DNSSAN for ConnectCALeaf cache type 2020-05-06 15:12:02 -05:00
Kyle Havlovitz c194e707e6 Add TLS integration test for ingress gateway
- Pull Consul Root CA from API in order to verify certificate chain
- Assert on the DNSSAN as well to ensure it is correct
2020-05-06 15:12:02 -05:00
Chris Piraino 91586b9228 Validate hosts input in ingress gateway config entry
We can only allow host names that are valid domain names because we put
these hosts into a DNSSAN. In addition, we validate that the wildcard
specifier '*' is only present as the leftmost label to allow for a
wildcard DNSSAN and associated wildcard Host routing in the ingress
gateway proxy.
2020-05-06 15:12:02 -05:00
Kyle Havlovitz bd6bb3bf2d Add TLS option and DNS SAN support to ingress config
xds: Only set TLS context for ingress listener when requested
2020-05-06 15:12:02 -05:00
R.B. Boyer ea21280636
test: make auth method cli crud test helper ignore the default namespace (#7799) 2020-05-06 15:09:47 -05:00
Chris Piraino cf03f3df31
Merge pull request #7678 from hashicorp/ingress/host-header-routing
Allow ingress gateways to route traffic based on Host header
2020-05-06 15:07:36 -05:00
Chris Piraino ac115e39b2 A proxy-default config entry only exists in the default namespace 2020-05-06 15:06:14 -05:00
Chris Piraino ff501ffb40 Correctly set a namespace label in the required domain for xds routes
If an upstream is not in the default namespace, we expect DNS requests
to be served over "<service-name>.ingress.<namespace>.*"
2020-05-06 15:06:14 -05:00