Commit Graph

16225 Commits

Author SHA1 Message Date
Konstantine 0f7d95d1ee added hcl 2021-12-03 00:54:39 +02:00
Matt Keeler 607b0e9527 Add the changelog entry for bbolt modifications 2021-12-02 16:59:13 -05:00
Matt Keeler 68e629a476 Emit raft-boltdb metrics 2021-12-02 16:56:15 -05:00
Daniel Nephin 8e2c71528f config: add NoFreelistSync option
# Conflicts:
#	agent/config/testdata/TestRuntimeConfig_Sanitize-enterprise.golden
#	agent/consul/server.go
2021-12-02 16:56:15 -05:00
Matt Keeler 1f49738167 Use raft-boltdb/v2 2021-12-02 16:56:15 -05:00
Daniel Nephin d2f53d20ac
Merge pull request #11672 from hashicorp/dnephin/ca-fix-signing-key-id-post-update
ca: set the correct SigningKeyID after config update with Vault provider
2021-12-02 16:24:54 -05:00
Daniel Nephin fa32c78429 ca: set the correct SigningKeyID after config update with Vault provider
The test added in this commit shows the problem. Previously the
SigningKeyID was set to the RootCert not the local leaf signing cert.

This same bug was fixed in two other places back in 2019, but this last one was
missed.

While fixing this bug I noticed I had the same few lines of code in 3
places, so I extracted a new function for them.

There would be 4 places, but currently the InitializeCA flow sets this
SigningKeyID in a different way, so I've left that alone for now.
2021-12-02 16:07:11 -05:00
Daniel Nephin a0014e13fd
Merge pull request #11713 from hashicorp/dnephin/ca-test-names
ca: make test naming consistent
2021-12-02 16:05:42 -05:00
Daniel Nephin 720d782225
Merge pull request #11671 from hashicorp/dnephin/ca-fix-storing-vault-intermediate
ca: fix storing the leaf signing cert with Vault provider
2021-12-02 16:02:24 -05:00
Daniel Nephin a0160f7426
Merge pull request #11677 from hashicorp/dnephin/freeport-interface
sdk: use t.Cleanup in freeport and remove unnecessary calls
2021-12-02 15:58:41 -05:00
Konstantine 31aaa8349a
Update website/content/docs/discovery/dns.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2021-12-02 22:39:21 +02:00
Konstantine 2218537aee
Update website/content/docs/discovery/dns.mdx
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2021-12-02 22:39:14 +02:00
Konstantine 9872b8dd58
Update website/content/docs/discovery/dns.mdx
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2021-12-02 22:39:02 +02:00
Konstantine 631cb6b7d4
Update website/content/docs/discovery/dns.mdx
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2021-12-02 22:38:57 +02:00
Daniel Nephin c1cb77b829 ca: make test naming consistent
While working on the CA system it is important to be able to run all the
tests related to the system, without having to wait for unrelated tests.
There are many slow and unrelated tests in agent/consul, so we need some
way to filter to only the relevant tests.

This PR renames all the CA system related tests to start with either
`TestCAMananger` for tests of internal operations that don't have RPC
endpoint, or `TestConnectCA` for tests of RPC endpoints. This allows us
to run all the test with:

    go test -run 'TestCAMananger|TestConnectCA' ./agent/consul

The test naming follows an undocumented convention of naming tests as
follows:

    Test[<struct name>_]<function name>[_<test case description>]

I tried to always keep Primary/Secondary at the end of the description,
and _Vault_ has to be in the middle because of our regex to run those
tests as a separate CI job.

You may notice some of the test names changed quite a bit. I did my best
to identify the underlying method being tested, but I may have been
slightly off in some cases.
2021-12-02 14:57:09 -05:00
FFMMM 38c457b486
add MustRevalidate flag to connect_ca_leaf cache type; always use on non-blocking queries (#11693)
* always use MustRevalidate on non-blocking queries for connect ca leaf

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

* Update agent/agent_endpoint_test.go

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* pr feedback

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-12-02 11:32:15 -08:00
Daniel Nephin 460f8919c9 ca: make getLeafSigningCertFromRoot safer
As a method on the struct type this would not be safe to call without first checking
c.isIntermediateUsedToSignLeaf.

So for now, move this logic to the CAMananger, so that it is always correct.
2021-12-02 12:42:49 -05:00
Daniel Nephin 64532ef636 ca: fix stored CARoot representation with Vault provider
We were not adding the local signing cert to the CARoot. This commit
fixes that bug, and also adds support for fixing existing CARoot on
upgrade.

Also update the tests for both primary and secondary to be more strict.
Check the SigningKeyID is correct after initialization and rotation.
2021-12-02 12:42:49 -05:00
Dan Upton eff3dc09b6
Rename `agent_master` ACL token in the API and CLI (#11669) 2021-12-02 17:05:27 +00:00
Dhia Ayachi 8789308d2d
fix changelog file name (#11710) 2021-12-02 11:41:08 -05:00
Dhia Ayachi ce4c2342d3
add changelog (#11708) 2021-12-02 11:05:14 -05:00
Dan Upton e1829a8706
Rename `master` and `agent_master` ACL tokens in the config file format (#11665) 2021-12-01 21:08:14 +00:00
Chris S. Kim 67eacee31e
ENT to OSS sync (#11703) 2021-12-01 14:56:10 -05:00
R.B. Boyer 70b143ddc5
auto-config: ensure the feature works properly with partitions (#11699) 2021-12-01 13:32:34 -06:00
Iryna Shustava 1e8a83d100
Update issue templates to link to consul-k8s instead of consul-helm (#11701) 2021-12-01 11:37:37 -07:00
Paul Banks 5015e9a733 Reformatting suggestions from review 2021-12-01 15:35:24 +00:00
Paul Banks 15ece49126 Apply suggestions from code review
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2021-12-01 15:13:40 +00:00
Paul Banks d149311cee Apply suggestions from code review
Co-authored-by: mrspanishviking <kcardenas@hashicorp.com>
2021-12-01 15:13:40 +00:00
Paul Banks c1b9601a94 Add documentation for SDS support in ingress gateways. 2021-12-01 15:13:40 +00:00
Heronimus Tresy 409385ed23
docs: community tools - add string2files consul-template plugin (#11675) 2021-12-01 09:24:47 -05:00
John Cowen 33a405ae8f
ui: Don't cache event sources following a 401 (#11681) 2021-12-01 13:24:52 +00:00
John Cowen c6dd21f4dd
ui: Refactor KV and Lock Sessions following partitions update (#11666)
This commit uses all our new ways of doing things to Lock Sessions and their interactions with KV and Nodes. This is mostly around are new under-the-hood things, but also I took the opportunity to upgrade some of the CSS to reuse some of our CSS utils that have been made over the past few months (%csv-list and %horizontal-kv-list).

Also added (and worked on existing) documentation for Lock Session related components.
2021-12-01 11:33:33 +00:00
John Cowen 8092595057
ui: Don't check global session permissions for a single session (#11657) 2021-12-01 11:06:44 +00:00
John Cowen 6fa1a058a6
ui: Add `Service.Partition` as available variable for dashboard urls (#11654) 2021-12-01 11:05:57 +00:00
John Cowen 8750d74a51
ui: Don't show policy datacenter selector for non-default partitions (#11656) 2021-12-01 11:05:15 +00:00
John Cowen 91383269b9
ui: Move nspace CRUD to use the same approach as partitions (#11633)
This sounds a bit 'backwards' as the end goal here is to add an improved UX to partitions, not namespaces. The reason for doing it this way is that Namespaces already has a type of 'improved UX' CRUD in that it has one to many relationship in the form when saving your namespaces (the end goal for partitions). In moving Namespaces to use the same approach as partitions we:

- Ensure the new approach works with one-to-many forms.
- Test the new approach without writing a single test (we already have a bunch of tests for namespaces which are now testing the approach used by both namespaces and partitions)

Additionally:

- Fixes issue with missing default nspace in the nspace selector
- In doing when checking to see that things where consistent between the two, I found a few little minor problems with the Admin Partition CRUD so fixed those up here also.
- Removed the old style Nspace notifications
2021-12-01 11:04:02 +00:00
Daniel Nephin 963a9819d0 ca: add some godoc and func for finding leaf signing cert
This will be used in a follow up commit.
2021-11-30 18:36:41 -05:00
Daniel Nephin 056a52ba64 sdk/freeport: rename Port to GetOne
For better consistency with GetN
2021-11-30 17:32:41 -05:00
trujillo-adam cff9356f97
Merge pull request #11558 from hashicorp/docs/admin-partitions-service-exports-configuration-entry
Admin partition docs: cross-partition support beta2/3
2021-11-30 11:22:30 -08:00
trujillo-adam 861e756b70 addtional feedback; added PartitionExports to CRDs section 2021-11-30 11:18:12 -08:00
Chris S. Kim e9c661db7f
Refactor test helper (#11689)
Allow custom ACL root tokens to be passed
2021-11-30 13:22:07 -05:00
Chris S. Kim 0ec67cc2d1
acl: Fill authzContext from token in Coordinate endpoints (#11688) 2021-11-30 13:17:41 -05:00
Daniel Nephin 11cdf7dfd9 sdk: upgrade freeport godoc
To clarify how it works, and when it is important to use.
2021-11-30 12:41:14 -05:00
trujillo-adam 5c47887093 applied additional feedback 2021-11-29 13:28:05 -08:00
David Yu db01c70914
docs: Notes about WAN Federation when using Vault as Connect CA (#11143)
* docs: Notes about WAN Federation when using Vault as Connect CA

* Apply suggestions from code review

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update website/content/docs/connect/ca/vault.mdx

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>

* Update vault.mdx

* Update vault.mdx

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2021-11-29 12:37:14 -08:00
Daniel Nephin 2a2c3e204f
Merge pull request #11673 from hashicorp/dnephin/ca-remove-raft-apply-resp-err-handle
ca: clean up unnecessary raft.Apply response checking
2021-11-29 15:25:21 -05:00
freddygv b1c6608c88 Rename partition CLI command 2021-11-29 12:20:51 -07:00
freddygv 76146dfc5b Move ent config test to ent file 2021-11-29 12:15:17 -07:00
freddygv 6d51282adf Prevent partition-exports entry from OSS usage
Validation was added on the config entry kind since that is called when
validating config entries to bootstrap via agent configuration and when
applying entries via the config RPC endpoint.
2021-11-29 11:24:16 -07:00
Daniel Nephin 4f0d092c95 testing: remove unnecessary calls to freeport
Previously we believe it was necessary for all code that required ports
to use freeport to prevent conflicts.

https://github.com/dnephin/freeport-test shows that it is actually save
to use port 0 (`127.0.0.1:0`) as long as it is passed directly to
`net.Listen`, and the listener holds the port for as long as it is
needed.

This works because freeport explicitly avoids the ephemeral port range,
and port 0 always uses that range. As you can see from the test output
of https://github.com/dnephin/freeport-test, the two systems never use
overlapping ports.

This commit converts all uses of freeport that were being passed
directly to a net.Listen to use port 0 instead. This allows us to remove
a bit of wrapping we had around httptest, in a couple places.
2021-11-29 12:19:43 -05:00