R.B. Boyer
efd8f562a2
update changelog
2020-05-11 21:00:26 -05:00
R.B. Boyer
940e5ad160
acl: add auth method for JWTs ( #7846 )
2020-05-11 20:59:29 -05:00
Daniel Nephin
801bfb9477
ci: debugging for golangci-lint download failing
...
We've seen a few CI runs fail with "exit status 52". This will hopefully give us more detail about what is failing.
2020-05-11 19:54:18 -04:00
Kit Patella
24175e2925
Merge pull request #7843 from hashicorp/oss-sync/auditing-config
...
agent/config: Fix tests & include Audit struct as a pointer on Config
2020-05-11 14:23:44 -07:00
Kit Patella
a4ee78440b
agent/config: include Audit struct as a pointer on Config, fix tests
2020-05-11 14:13:05 -07:00
Kit Patella
a45b67b40f
Merge pull request #7841 from hashicorp/oss-sync/auditing-config
...
OSS sync - Auditing config
2020-05-11 13:44:38 -07:00
Kit Patella
f82a97f8c8
agent/config: add auditing config to OSS and add to enterpriseConfigMap exclusions
2020-05-11 13:27:35 -07:00
Preetha Appan
f3ee8d4777
Add Beta super script to page title
...
also moves version availability to below feature title
2020-05-11 14:59:17 -05:00
Chris Piraino
1173b31949
Return early from updateGatewayServices if nothing to update ( #7838 )
...
* Return early from updateGatewayServices if nothing to update
Previously, we returned an empty slice of gatewayServices, which caused
us to accidentally delete everything in the memdb table
* PR comment and better formatting
2020-05-11 14:46:48 -05:00
Chris Piraino
1a7c99cf31
Fix TestInternal_GatewayServiceDump_Ingress ( #7840 )
...
Protocol was added as a field on GatewayServices after
GatewayServiceDump PR branch was created.
2020-05-11 14:46:31 -05:00
R.B. Boyer
c54211ad52
cli: ensure 'acl auth-method update' doesn't deep merge the Config field ( #7839 )
2020-05-11 14:21:17 -05:00
Chris Piraino
107c7a9ca7
PR comment and better formatting
2020-05-11 14:04:59 -05:00
Iryna Shustava
97bca3476e
docs: add docs for configuring ACLs with external servers ( #7802 )
2020-05-11 11:26:10 -07:00
Chris Piraino
9f924400e0
Return early from updateGatewayServices if nothing to update
...
Previously, we returned an empty slice of gatewayServices, which caused
us to accidentally delete everything in the memdb table
2020-05-11 12:38:04 -05:00
Freddy
ebbb234ecb
Gateway Services Nodes UI Endpoint ( #7685 )
...
The endpoint supports queries for both Ingress Gateways and Terminating Gateways. Used to display a gateway's linked services in the UI.
2020-05-11 11:35:17 -06:00
Kyle Havlovitz
28b4819882
Merge pull request #7759 from hashicorp/ingress/tls-hosts
...
Add TLS option for Ingress Gateway listeners
2020-05-11 09:18:43 -07:00
Kyle Havlovitz
dc1112eaf8
Disallow the blanket wildcard prefix from being used as custom host
2020-05-08 20:24:18 -07:00
Chris Piraino
3931015a90
Remove development log line
2020-05-08 20:24:18 -07:00
Chris Piraino
29afac01c8
Set default protocol to http in TLS integration test
2020-05-08 20:23:23 -07:00
Chris Piraino
a500262a77
Compute all valid DNSSANs for ingress gateways
...
For DNSSANs we take into account the following and compute the
appropriate wildcard values:
- source datacenter
- namespaces
- alt domains
2020-05-08 20:23:17 -07:00
Preetha Appan
40c67ee0cc
Add beta superscript to docs title for wan federation over mesh gateways
2020-05-08 18:25:41 -05:00
Preetha Appan
f4bba1d204
Redo PR #7430 for new website
...
Still has todos and diagrams to be added
2020-05-08 18:07:45 -05:00
Daniel Nephin
a8adcf2a96
Merge pull request #7713 from hashicorp/dnephin/connect-proxy-passive-healthcheck
...
xds: Add passive health check config for upstreams (aka envoy outlier detection)
2020-05-08 15:48:50 -04:00
Daniel Nephin
ce3aeb85f5
Add outlier_detection check to integration test
...
Fix decoding of time.Duration types.
2020-05-08 14:56:57 -04:00
Daniel Nephin
987875524a
xds: Add passive health check config for upstreams
2020-05-08 14:56:57 -04:00
Chris Piraino
a635e23f86
Restoring config entries updates the gateway-services table ( #7811 )
...
- Adds a new validateConfigEntryEnterprise function
- Also fixes some state store tests that were failing in enterprise
2020-05-08 13:24:33 -05:00
Daniel Nephin
c2499418ed
test: Remove t.Parallel() from agent/structs tests
...
go test will only run tests in parallel within a single package. In this case the package test run time is exactly the same with or without t.Parallel() (~0.7s).
In generally we should avoid t.Parallel() as it causes a number of problems with `go test` not reporting failure messages correctly. I encountered one of these problems, which is what prompted this change. Since `t.Parallel` is not providing any benefit in this package, this commit removes it.
The change was automated with:
git grep -l 't.Parallel' | xargs sed -i -e '/t.Parallel/d'
2020-05-08 14:06:10 -04:00
Freddy
a37d7a42c9
Fix up enterprise compatibility for gateways ( #7813 )
2020-05-08 09:44:34 -06:00
Jono Sosulska
44011c81f2
Fix spelling of deregister ( #7804 )
2020-05-08 10:03:45 -04:00
Denislav Denov
7d9ac06f83
Merge pull request #7815 from hashicorp/denislavdenov-patch-1
...
Update license.mdx
2020-05-08 16:04:39 +03:00
Denislav Denov
3932b5b907
Update website/pages/docs/commands/license.mdx
...
Co-authored-by: danielehc <40759828+danielehc@users.noreply.github.com>
2020-05-08 15:51:52 +03:00
Denislav Denov
aa5527303b
Update license.mdx
...
Hello team,
I noticed that the reset part of the consul license command was missing in the documentation so I added it and created this PR.
2020-05-08 11:13:41 +03:00
R.B. Boyer
bf70ad1802
cli: oss refactors to support making the auth method CLI aware of namespace rules in enterprise ( #7812 )
2020-05-07 17:08:42 -05:00
Chris Piraino
2d657c3c0f
Allow ingress gateways to send empty clusters, routes, and listeners ( #7795 )
...
This is useful when updating an config entry with no services, and the
expected behavior is that envoy closes all listeners and clusters.
We also allow empty routes because ingress gateways name route
configurations based on the port of the listener, so it is important we
remove any stale routes. Then, if a new listener with an old port is
added, we will not have to deal with stale routes hanging around routing
to the wrong place.
Endpoints are associated with clusters, and thus by deleting the
clusters we don't have to care about sending empty endpoint responses.
2020-05-07 16:19:25 -05:00
Chris Piraino
964e55e45e
Cleanup proxycfg for TLS
...
- Use correct enterprise metadata for finding config entry
- nil out cancel functions on config snapshot copy
- Look at HostsSet when checking validity
2020-05-07 10:22:57 -05:00
Jeff Escalante
55e5c1b9ef
add alert banner to website
2020-05-06 20:06:39 -04:00
Chris Piraino
ad8a0544f2
Require individual services in ingress entry to match protocols ( #7774 )
...
We require any non-wildcard services to match the protocol defined in
the listener on write, so that we can maintain a consistent experience
through ingress gateways. This also helps guard against accidental
misconfiguration by a user.
- Update tests that require an updated protocol for ingress gateways
2020-05-06 16:09:24 -05:00
Freddy
a749f46316
Remove timeout and call to Fatal from goroutine ( #7797 )
2020-05-06 14:33:17 -06:00
R.B. Boyer
65af2a323c
update changelog
2020-05-06 15:32:27 -05:00
R.B. Boyer
095f0503e8
test: make auth method cli crud test work in both oss and ent ( #7800 )
2020-05-06 15:16:50 -05:00
Kyle Havlovitz
a198282349
Add a check for custom host to ingress TLS integration test
2020-05-06 15:12:02 -05:00
Chris Piraino
bebf1d5df9
Add TLS field to ingress API structs
...
- Adds test in api and command/config/write packages
2020-05-06 15:12:02 -05:00
Chris Piraino
2a10984efb
Add test for adding DNSSAN for ConnectCALeaf cache type
2020-05-06 15:12:02 -05:00
Kyle Havlovitz
c194e707e6
Add TLS integration test for ingress gateway
...
- Pull Consul Root CA from API in order to verify certificate chain
- Assert on the DNSSAN as well to ensure it is correct
2020-05-06 15:12:02 -05:00
Chris Piraino
91586b9228
Validate hosts input in ingress gateway config entry
...
We can only allow host names that are valid domain names because we put
these hosts into a DNSSAN. In addition, we validate that the wildcard
specifier '*' is only present as the leftmost label to allow for a
wildcard DNSSAN and associated wildcard Host routing in the ingress
gateway proxy.
2020-05-06 15:12:02 -05:00
Kyle Havlovitz
bd6bb3bf2d
Add TLS option and DNS SAN support to ingress config
...
xds: Only set TLS context for ingress listener when requested
2020-05-06 15:12:02 -05:00
R.B. Boyer
ea21280636
test: make auth method cli crud test helper ignore the default namespace ( #7799 )
2020-05-06 15:09:47 -05:00
Chris Piraino
cf03f3df31
Merge pull request #7678 from hashicorp/ingress/host-header-routing
...
Allow ingress gateways to route traffic based on Host header
2020-05-06 15:07:36 -05:00
Chris Piraino
ac115e39b2
A proxy-default config entry only exists in the default namespace
2020-05-06 15:06:14 -05:00
Chris Piraino
ff501ffb40
Correctly set a namespace label in the required domain for xds routes
...
If an upstream is not in the default namespace, we expect DNS requests
to be served over "<service-name>.ingress.<namespace>.*"
2020-05-06 15:06:14 -05:00