Chelsea Holland Komlo
19e4a5489b
add support for tls PreferServerCipherSuites
...
add further tests for tls configuration
2018-05-25 13:20:00 -04:00
Chelsea Holland Komlo
38f611a7f2
refactor NewTLSConfiguration to pass in verifyIncoming/verifyOutgoing
...
add missing fields to TLS merge method
2018-05-23 18:35:30 -04:00
Chelsea Holland Komlo
44f536f18e
add support for configurable TLS minimum version
2018-05-09 18:07:12 -04:00
Chelsea Holland Komlo
796bae6f1b
allow configurable cipher suites
...
disallow 3DES and RC4 ciphers
add documentation for tls_cipher_suites
2018-05-09 17:15:31 -04:00
Chelsea Holland Komlo
b33d909bf9
add test to assert invalid files return error
2018-03-28 18:31:35 -04:00
Chelsea Holland Komlo
58ada9bc42
return error when setting checksum; don't reload
2018-03-28 18:15:50 -04:00
Chelsea Holland Komlo
2d5af7ff4d
set TLS checksum when parsing config
...
Refactor checksum comparison, always set checksum if it is empty
2018-03-28 09:56:11 -04:00
Chelsea Holland Komlo
6e6d6b7e33
check file contents when determining if agent should reload TLS configuration
2018-03-27 15:42:20 -04:00
Chelsea Holland Komlo
66e44cdb73
Allow TLS configurations for HTTP and RPC connections to be reloaded separately
2018-03-21 17:51:08 -04:00
James Rasell
121c3bc997
Update Consul check params from using health-check to check.
2018-03-20 16:03:58 +01:00
James Rasell
15afef9b77
Allow Nomads Consul health checks to be configurable.
...
This change allows the client HTTP and the server HTTP, Serf and
RPC health check names within Consul to be configurable with the
defaults as previous. The configuration can be done via either a
config file or using CLI flags.
Closes #3988
2018-03-19 19:37:56 +01:00
Kyle Havlovitz
2ccf565bf6
Refactor redundancy_zone/upgrade_version out of client meta
2018-01-29 20:03:38 -08:00
Chelsea Komlo
d09cc2a69f
Merge pull request #3492 from hashicorp/f-client-tls-reload
...
Client/Server TLS dynamic reload
2018-01-23 05:51:32 -05:00
Kyle Havlovitz
bc385bcc93
Fix comments/text referring to consul
2018-01-17 00:20:13 -08:00
Chelsea Holland Komlo
0708d34135
call reload on agent, client, and server separately
2018-01-08 09:56:31 -05:00
Chelsea Holland Komlo
3f34b59ee6
remove unnecessary nil checks; default case
...
add tests for TLSConfig object
2018-01-08 09:24:28 -05:00
Chelsea Holland Komlo
6a2432659a
code review fixups
2018-01-08 09:21:06 -05:00
Chelsea Holland Komlo
c0ad9a4627
add ability to upgrade/downgrade nomad agents tls configurations via sighup
2018-01-08 09:21:06 -05:00
Kyle Havlovitz
1c07066064
Add autopilot functionality based on Consul's autopilot
2017-12-18 14:29:41 -08:00
Chelsea Holland Komlo
5951222ccb
fix for rpc_upgrade_mode
2017-12-11 19:23:45 -05:00
Chelsea Komlo
2dfda33703
Nomad agent reload TLS configuration on SIGHUP ( #3479 )
...
* Allow server TLS configuration to be reloaded via SIGHUP
* dynamic tls reloading for nomad agents
* code cleanup and refactoring
* ensure keyloader is initialized, add comments
* allow downgrading from TLS
* initalize keyloader if necessary
* integration test for tls reload
* fix up test to assert success on reloaded TLS configuration
* failure in loading a new TLS config should remain at current
Reload only the config if agent is already using TLS
* reload agent configuration before specific server/client
lock keyloader before loading/caching a new certificate
* introduce a get-or-set method for keyloader
* fixups from code review
* fix up linting errors
* fixups from code review
* add lock for config updates; improve copy of tls config
* GetCertificate only reloads certificates dynamically for the server
* config updates/copies should be on agent
* improve http integration test
* simplify agent reloading storing a local copy of config
* reuse the same keyloader when reloading
* Test that server and client get reloaded but keep keyloader
* Keyloader exposes GetClientCertificate as well for outgoing connections
* Fix spelling
* correct changelog style
2017-11-14 17:53:23 -08:00
Chelsea Holland Komlo
e348deecf5
fixups from code review
2017-11-01 15:21:05 -05:00
Chelsea Holland Komlo
afe9f9a714
add rpc_upgrade_mode as config option for tls upgrades
2017-11-01 15:19:52 -05:00
Alex Dadgar
e5ec915ac3
sync
2017-09-19 10:08:23 -05:00
Michael Schurter
bbcea0dff9
Update consul/api and comment to custom http.Client
2017-05-30 15:11:32 -07:00
Michael Schurter
6f2ecdec27
Update consul/api and fix tls handling
...
Since I was already fixing consul's tls handling in #2645 I decided to
update consul/api and pre-emptively fix our tls handling against the
newest consul/api behavior. consul/api's handling of http.Transports has
improved but would have broken how we handled tls (again).
This would have made for a nasty surprise the next time we updated
consul/api.
2017-05-30 15:11:32 -07:00
Michael Schurter
a4e2463477
Fix consul.verify_ssl
...
Was getting ignored and would have defaulted to false if it wasn't
ignored.
Now defaults to true as per docs and isn't ignored.
2017-05-15 15:32:32 -07:00
Michael Schurter
85210eb92f
Update consul/api to support unix socket addrs
...
Fixes #2594
2017-05-08 11:57:04 -07:00
Pete Wildsmith
1b8a1614ca
reduce to one configuration option
...
There should be just one option, verify_https_client, which
controls incoming and outgoing validation for the HTTPS wrapper
2017-04-28 10:45:09 +01:00
Pete Wildsmith
c948d2ee27
apply gofmt
2017-04-26 18:58:19 +01:00
Pete Wildsmith
56b122c501
Add verification options to TLS config struct
2017-04-25 23:29:43 +01:00
Alex Dadgar
7fae2d2cea
Fix Consul Config Merging/Copying
...
This PR fixes config merging/copying code.
Fixes https://github.com/hashicorp/nomad/issues/2264
2017-02-02 11:12:07 -08:00
Alex Dadgar
9c75ec7f57
Add role to merge test
2017-02-01 16:37:08 -08:00
taylorchu
fd34c03d47
TWEAK: remove else block in tls handling
2017-01-26 14:03:32 -08:00
taylorchu
4453a292a2
BUGFIX: fix consul verify_ssl merging
2017-01-25 16:19:39 -08:00
Alex Dadgar
606bb30863
Merge pull request #2226 from hashicorp/b-vault
...
Improve Vault integration and validation
2017-01-23 14:59:41 -08:00
Alex Dadgar
fb86904902
Check capabilities, allow creation against role
...
Check the capabilities of the Vault token to ensure it is valid and also
allow targetting of a role that the token is not from.
2017-01-19 13:40:32 -08:00
Diptanu Choudhury
e927de02d2
Moved functions to helper from structs
2017-01-18 15:55:14 -08:00
Diptanu Choudhury
c253f5b17d
Fixed merging consul config
2017-01-05 15:15:43 -08:00
Diptanu Choudhury
15f085a4d7
Merge pull request #1931 from hashicorp/rename-vault-config
...
Rename vault config
2016-11-06 10:14:25 -08:00
Diptanu Choudhury
40b9d3bb2d
Fixed comment
2016-11-03 14:45:03 -07:00
Diptanu Choudhury
22681bd8ce
Making AllowUnauthenticated true by default
2016-11-03 14:38:34 -07:00
Diptanu Choudhury
b6f9df5415
Renaming TLS related vault config
2016-11-03 14:24:39 -07:00
Alex Dadgar
ddf5fb82b5
Small cleanups
2016-10-27 10:51:11 -07:00
Diptanu Choudhury
cf35aeac84
Moving the TLSConfig to structs
2016-10-25 15:57:38 -07:00
Alex Dadgar
751aa114bf
Fix Vault parsing of booleans
2016-10-10 18:04:39 -07:00
Diptanu Choudhury
f8cd51b6e9
Enabling vault if token is present
2016-08-18 12:03:50 -07:00
Alex Dadgar
a8efce874f
Token renewal and beginning of tests
2016-08-17 16:25:38 -07:00
Alex Dadgar
713e310670
Renew loop
2016-08-17 16:25:38 -07:00
Alex Dadgar
750a44b2c0
Create a Vault interface for the server
2016-08-17 16:25:38 -07:00