Commit Graph

15439 Commits

Author SHA1 Message Date
Dhia Ayachi b57cf27e8f
Format certificates properly (rfc7468) with a trailing new line (#10411)
* trim carriage return from certificates when inserting rootCA in the inMemDB

* format rootCA properly when returning the CA on the connect CA endpoint

* Fix linter warnings

* Fix providers to trim certs before returning it

* trim newlines on write when possible

* add changelog

* make sure all provider return a trailing newline after the root and intermediate certs

* Fix endpoint to return trailing new line

* Fix failing test with vault provider

* make test more robust

* make sure all provider return a trailing newline after the leaf certs

* Check for suffix before removing newline and use function

* Add comment to consul provider

* Update change log

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* fix typo

* simplify code callflow

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>

* extract requireNewLine as shared func

* remove dependency to testify in testing file

* remove extra newline in vault provider

* Add cert newline fix to envoy xds

* remove new line from mock provider

* Remove adding a new line from provider and fix it when the cert is read

* Add a comment to explain the fix

* Add missing for leaf certs

* fix missing new line

* fix missing new line in leaf certs

* remove extra new line in test

* updage changelog

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* fix in vault provider and when reading cache (RPC call)

* fix AWS provider

* fix failing test in the provider

* remove comments and empty lines

* add check for empty cert in test

* fix linter warnings

* add new line for leaf and private key

* use string concat instead of Sprintf

* fix new lines for leaf signing

* preallocate slice and remove append

* Add new line to `SignIntermediate` and `CrossSignCA`

Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-06-30 20:48:29 -04:00
Kenia 1ec131924a
Add changelog to backported bug fix for Topology Metrics (#10538) 2021-06-30 16:51:29 -04:00
Daniel Nephin 72ea979c39
Merge pull request #10515 from hashicorp/dnephin/fix-arm32-atomic-aligment
Fix panic on 32-bit platforms
2021-06-30 16:40:20 -04:00
David Yu e4cf9fcc9c
docs: remove alpha from 1.10.0 reference for observability on k8s metrics merging (#10528)
The docs note an alpha pre-release version on K8s observability. Updating to only reference the GA 1.10.0 version of Consul for observability on k8s and metrics merging.
2021-06-30 12:18:19 -07:00
Daniel Nephin 9a0680040e
Merge pull request #10527 from hashicorp/rename-main-branch
Update references to the main branch
2021-06-30 13:07:09 -04:00
R.B. Boyer 9d02770a99
build: ensure make go-build-image target builds tools in isolation (#10534) 2021-06-30 11:36:02 -05:00
Luke Kysow 128d4444f5
docs: Document setting dashboard_url on k8s (#10510)
It's tricky because the `{{` needs to be escaped with Helm.
2021-06-30 09:16:38 -07:00
Jan Berktold cf205d7fd9
Add rs-consul client to community-provided SDKs list (#10529)
* Add rs-consul

* Update website/content/api-docs/libraries-and-sdks.mdx

Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
2021-06-30 10:43:41 -04:00
Blake Covarrubias bd07b90a63
docs: Add Consul 1.10 release notes (#10489)
Co-authored-by: Mike Morris <mikemorris@users.noreply.github.com>
2021-06-29 16:08:57 -07:00
Daniel Nephin 17c3c463ae Rename main branch in CHANGELOG and website docs 2021-06-29 18:55:35 -04:00
Daniel Nephin c2cc9b6bda Update references to the main branch
The main branch is being renamed from master->main. This commit should
update all references to the main branch to the new name.

Co-Authored-By: Mike Morris <mikemorris@users.noreply.github.com>
2021-06-29 17:17:38 -04:00
Iryna Shustava e6e3e196db
docs: add docs for running a single Consul dc in multiple k8s clusters (#10508) 2021-06-29 14:23:36 -06:00
Daniel Nephin 23a0757e34 ci: add go-test-32bit and lint-32bit to catch atomic misalignment panics 2021-06-29 16:10:21 -04:00
Daniel Nephin 843e08bb23 testing: fix a test for 32-bit
The hcl decoding apparently uses strconv.ParseInt, which fails to parse a 64bit int.
Since hcl v1 is basically EOl, it seems unlikely we'll fix this in hcl.

Since this test is only about loading values from config files, the extra large number
doesn't seem important. Trim a few zeros from the numbers so that they parse
properly on 32bit platforms.

Also skip a slow test when -short is used.
2021-06-29 16:10:21 -04:00
Daniel Nephin e226733b26 fix 64-bit aligment for 32-bit platforms
sync/atomic must be used with 64-bit aligned fields, and that alignment is difficult to
ensure unless the field is the first one in the struct.

https://golang.org/pkg/sync/atomic/#pkg-note-BUG.
2021-06-29 16:10:21 -04:00
jkirschner-hashicorp 88bee0127e
Merge pull request #10519 from jkirschner-hashicorp/fix-doc-service-splitter-example
docs: fix service splitter example weight sum
2021-06-29 15:51:18 -04:00
Ashwin Venkatesh 23ca62c606
Add docs for gossip encryption key rotation (#10522)
* Add docs for gossip encryption key rotation with feedback from David, Kyle and Luke.
2021-06-29 14:45:19 -04:00
Daniel Nephin e5dbc4262b
Merge pull request #10437 from christopherlai/patch-1
Link to Reverse Proxy from Load Balancer
2021-06-29 14:37:41 -04:00
Blake Covarrubias e51f92484c
docs: Add audit logging examples (#10382)
* docs: Add audit logging examples

Resolves #8375, resolves #9055
2021-06-29 10:58:15 -07:00
Blake Covarrubias 50fba03268
docs: Clarify serf_lan/retry_join behavior with network segments (#10386)
* docs: Add info on using cloud auto-join with Network Segments

Resolves hashicorp/go-discover#57

* Add note about joining network segments

Specifically call out that agents can be configured to join a network
segment by either specifying the Serf LAN port in the join address,
changing the agent's default Serf LAN port by configuring
`ports.serf_lan`, or specifying the port in the `-serf-lan-port`
command line flag.

Resolves #9972
2021-06-29 10:57:33 -07:00
David Yu 351c5e350d
docs: Remove Helm 2 mention in Consul K8s install and uninstall (#10517)
* docs: Remove Helm 2 mention in Consul K8s install and uninstall
Helm 2 is no longer supported via Consul K8s. Helm 3 is now the supported version for Consul K8s.
2021-06-29 09:18:08 -07:00
Mike Ajala 9a8c966f74
Update self-hosted-kubernetes.mdx (#10518)
Corrected typo, from you _mean_ need to you _may_ need.
2021-06-29 09:17:07 -07:00
Jared Kirschner 817a7ff454 Fix service splitter example weight sum
Weight sum must be equal to 100.
2021-06-29 07:01:55 -04:00
Daniel Nephin 1074332a36
Merge pull request #10514 from hashicorp/dnephin/actually-enable-streaming
streaming: fix not being able to enable streaming
2021-06-28 18:52:03 -04:00
Daniel Nephin ffefcdc025 streaming: support X-Cache-Hit header
If a value was already available in the local view the request is considered a cache hit.
If the materialized had to wait for a value, it is considered a cache miss.
2021-06-28 17:29:23 -04:00
Daniel Nephin a4a390d7c5 streaming: fix enable of streaming in the client
And add checks to all the tests that explicitly use streaming.
2021-06-28 17:23:14 -04:00
Daniel Nephin 62beaa80f3 Remove a racy and failing test
This test is super racy (it's not just a single line).

This test also starts failing once streaming is enabled, because the
cache rate limit no longer applies to the requests in the test. The
queries use streaming instead of the cache.

This test is no longer valid, and the functionality is already well
tested by TestCacheThrottle.  Instead of spending time rewriting this
test, let's remove it.

```
WARNING: DATA RACE
Read at 0x00c01de410fc by goroutine 735:
  github.com/hashicorp/consul/agent.TestCacheRateLimit.func1()
      /home/daniel/pers/code/consul/agent/agent_test.go:1024 +0x9af
  github.com/hashicorp/consul/testrpc.WaitForTestAgent()
      /home/daniel/pers/code/consul/testrpc/wait.go:99 +0x209
  github.com/hashicorp/consul/agent.TestCacheRateLimit.func1()
      /home/daniel/pers/code/consul/agent/agent_test.go:966 +0x1ad
  testing.tRunner()
      /usr/lib/go/src/testing/testing.go:1193 +0x202

Previous write at 0x00c01de410fc by goroutine 605:
  github.com/hashicorp/consul/agent.TestCacheRateLimit.func1.2()
      /home/daniel/pers/code/consul/agent/agent_test.go:998 +0xe9

Goroutine 735 (running) created at:
  testing.(*T).Run()
      /usr/lib/go/src/testing/testing.go:1238 +0x5d7
  github.com/hashicorp/consul/agent.TestCacheRateLimit()
      /home/daniel/pers/code/consul/agent/agent_test.go:961 +0x375
  testing.tRunner()
      /usr/lib/go/src/testing/testing.go:1193 +0x202

Goroutine 605 (finished) created at:
  github.com/hashicorp/consul/agent.TestCacheRateLimit.func1()
      /home/daniel/pers/code/consul/agent/agent_test.go:1022 +0x91e
  github.com/hashicorp/consul/testrpc.WaitForTestAgent()
      /home/daniel/pers/code/consul/testrpc/wait.go:99 +0x209
  github.com/hashicorp/consul/agent.TestCacheRateLimit.func1()
      /home/daniel/pers/code/consul/agent/agent_test.go:966 +0x1ad
  testing.tRunner()
      /usr/lib/go/src/testing/testing.go:1193 +0x202
```
2021-06-28 17:23:13 -04:00
Daniel Nephin d0e32cc3ba http: add an X-Consul-Query-Backend header to responses
So that it is easier to detect and test when streaming is being used.
2021-06-28 16:44:58 -04:00
Daniel Nephin 902bd80989
Merge pull request #10506 from hashicorp/dnephin/docs-rpc-query-metrics
docs: correct some misleading telemetry docs
2021-06-28 12:33:57 -04:00
Daniel Nephin 86244967c5 docs: correct some misleading telemetry docs
The query metrics are actually reported for all read queries, not only
ones that use a MinIndex to block for updates.

Also clarify the raft.apply metric is only on the leader.
2021-06-28 12:20:53 -04:00
Kendall Strautman 1cab0b41bb
chore: upgrade react-head and deps (#10499) 2021-06-28 08:39:14 -07:00
Daniel Nephin 6b5d3b78ef
Merge pull request #10497 from hashicorp/dnephin/tls-cert-exploration-3
tlsutil: unexport and remove methods
2021-06-25 18:24:33 -04:00
R.B. Boyer 30ccd5c2d9
connect: include optional partition prefixes in SPIFFE identifiers (#10507)
NOTE: this does not include any intentions enforcement changes yet
2021-06-25 16:47:47 -05:00
Freddy 6adc615512
Update CONTRIBUTING.md 2021-06-25 14:43:53 -06:00
R.B. Boyer c3d5a2a5ab
connect/ca: cease including the common name field in generated certs (#10424)
As part of this change, we ensure that the SAN extensions are marked as
critical when the subject is empty so that AWS PCA tolerates the loss of
common names well and continues to function as a Connect CA provider.

Parts of this currently hack around a bug in crypto/x509 and can be
removed after https://go-review.googlesource.com/c/go/+/329129 lands in
a Go release.

Note: the AWS PCA tests do not run automatically, but the following
passed locally for me:

    ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS
2021-06-25 13:00:00 -05:00
hc-github-team-consul-core f0f5d9bfc4 auto-updated agent/uiserver/bindata_assetfs.go from commit ace794d21 2021-06-25 09:47:01 +00:00
John Cowen a210cce332
ui: Enable specifying additional docfy config as json (#10464) 2021-06-25 10:41:41 +01:00
Dhia Ayachi 8b967b3bb6
return an empty record when asked for an addr dns with type other then A, AAAA and ANY (#10401)
* return an invalid record when asked for an addr dns with type other then A and AAAA

* add changelog

* fix ANY use case and add a test for it

* update changelog type

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* return empty response if the question record type do not match for addr

* set comment in the right place

* return A\AAAA record in extra section if record type is not A\AAAA for addr

* Fix failing test

* remove commented code

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* use require for test validation

* use variable to init struct

* fix failing test

* Update agent/dns.go

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update .changelog/10401.txt

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update agent/dns.go

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update agent/dns.go

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* Update agent/dns.go

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>

* fix compilation error

Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-06-24 20:44:44 -04:00
Daniel Nephin 4cc444e15f Invert the logic of outgoingRPCTLSDisabled
To remove the double negatives, which should make it easier to read.
2021-06-24 19:25:02 -04:00
Daniel Nephin 77dde1df38 tlsutil: inline verifyIncomingHTTPS
This function was only used in one place, and the indirection makes it slightly
harder to see what the one caller is doing. Since it's only accesing a couple fields
it seems like the logic can exist in the one caller.
2021-06-24 19:25:02 -04:00
Daniel Nephin 7342c7e977 tlsutil: remove indirection and duplication
VerifyIncomingRPC and verifyIncomingRPC were duplicate functions, and
once one is removed, Config.verifyIncomingRPC is only called in one place.

Remove 2 of the 3 functions to make the behaviour easier to follow (less indirection).
2021-06-24 18:43:30 -04:00
Daniel Nephin 9f9ffd990d tlsutil: remove unnecessary getter functions
These functions did nothing but hide the fields they were returning.
2021-06-24 18:43:29 -04:00
Daniel Nephin b30ec82d2d tlsutil: unexport and remove indirection
Unexport outgoingALPNRPCConfig since it is only used internally
Remove the MutualTLSCapable->mutualTLSCapable indirection, we only need the exported method.
Inline enableAgentTLSForChecks to make it more clear what it does, since it only has a single caller and is wrapping a single field lookup.
2021-06-24 18:43:29 -04:00
Ludovic Ortega a1e7556af6
[Fix] Add missing quote (#10484) 2021-06-24 13:59:39 -07:00
R.B. Boyer f408c4d387
sdk: Stop making a special /tmp/consul-test directory for testutil.TempFile and testutil.TempDir (#10494) 2021-06-24 15:46:23 -05:00
lornasong c232a544a4
docs/nia: fix catalog-services typos pt 2 (#10493) 2021-06-24 16:45:46 -04:00
R.B. Boyer e20abcc14f
connect/proxy: fixes logic bug preventing builtin/native proxy from starting upstream listeners (#10486)
Fixes #10480

Also fixed a data race in the `connect/proxy` package that was unearthed by the tests changed for this bugfix.
2021-06-24 15:02:34 -05:00
Kim Ngo 811aa82f15
docs/nia: fix typo (#10492) 2021-06-24 13:51:26 -05:00
Daniel Nephin a620a7eced
Merge pull request #10490 from hashicorp/dnephin/fix-tls-for-health-check
tlsutil: fix ServerName used for health checks that use TLS
2021-06-24 14:27:16 -04:00
Daniel Nephin cefbb5bf3f
Merge pull request #10476 from hashicorp/dnephin/ca-primary-uses-intermediate
ca: replace ca.PrimaryIntermediateProviders
2021-06-24 14:05:19 -04:00