Commit graph

17144 commits

Author SHA1 Message Date
Seth Hoenig 4ee55fcd6c nomad,client: apply more comment/style PR tweaks 2020-01-31 19:04:52 -06:00
Seth Hoenig be7c671919 nomad,client: apply smaller PR suggestions
Apply smaller suggestions like doc strings, variable names, etc.

Co-Authored-By: Nick Ethier <nethier@hashicorp.com>
Co-Authored-By: Michael Schurter <mschurter@hashicorp.com>
2020-01-31 19:04:40 -06:00
Seth Hoenig 78a7d1e426 comments: cleanup some leftover debug comments and such 2020-01-31 19:04:35 -06:00
Seth Hoenig 5c5da95f34 client: skip task SI token file load failure if testing as root
The TestEnvoyBootstrapHook_maybeLoadSIToken test case only works when
running as a non-priveleged user, since it deliberately tries to read
an un-readable file to simulate a failure loading the SI token file.
2020-01-31 19:04:30 -06:00
Seth Hoenig ab7ae8bbb4 client: remove unused indirection for referencing consul executable
Was thinking about using the testing pattern where you create executable
shell scripts as test resources which "mock" the process a bit of code
is meant to fork+exec. Turns out that wasn't really necessary in this case.
2020-01-31 19:04:25 -06:00
Seth Hoenig 076cb4754e agent: re-enable the server in dev mode 2020-01-31 19:04:19 -06:00
Seth Hoenig 8219c78667 nomad: handle SI token revocations concurrently
Be able to revoke SI token accessors concurrently, and also
ratelimit the requests being made to Consul for the various
ACL API uses.
2020-01-31 19:04:14 -06:00
Seth Hoenig 2c7ac9a80d nomad: fixup token policy validation 2020-01-31 19:04:08 -06:00
Seth Hoenig d204f2f4f0 client: enable envoy bootstrap hook to set SI token
When creating the envoy bootstrap configuration, we should append
the "-token=<token>" argument in the case where the sidsHook placed
the token in the secrets directory.
2020-01-31 19:04:01 -06:00
Seth Hoenig 9df33f622f nomad: proxy requests for Service Identity tokens between Clients and Consul
Nomad jobs may be configured with a TaskGroup which contains a Service
definition that is Consul Connect enabled. These service definitions end
up establishing a Consul Connect Proxy Task (e.g. envoy, by default). In
the case where Consul ACLs are enabled, a Service Identity token is required
for these tasks to run & connect, etc. This changeset enables the Nomad Server
to recieve RPC requests for the derivation of SI tokens on behalf of instances
of Consul Connect using Tasks. Those tokens are then relayed back to the
requesting Client, which then injects the tokens in the secrets directory of
the Task.
2020-01-31 19:03:53 -06:00
Seth Hoenig 93cf770edb client: enable nomad client to request and set SI tokens for tasks
When a job is configured with Consul Connect aware tasks (i.e. sidecar),
the Nomad Client should be able to request from Consul (through Nomad Server)
Service Identity tokens specific to those tasks.
2020-01-31 19:03:38 -06:00
Seth Hoenig 2b66ce93bb nomad: ensure a unique ClusterID exists when leader (gh-6702)
Enable any Server to lookup the unique ClusterID. If one has not been
generated, and this node is the leader, generate a UUID and attempt to
apply it through raft.

The value is not yet used anywhere in this changeset, but is a prerequisite
for gh-6701.
2020-01-31 19:03:26 -06:00
Seth Hoenig f030a22c7c command, docs: create and document consul token configuration for connect acls (gh-6716)
This change provides an initial pass at setting up the configuration necessary to
enable use of Connect with Consul ACLs. Operators will be able to pass in a Consul
Token through `-consul-token` or `$CONSUL_TOKEN` in the `job run` and `job revert`
commands (similar to Vault tokens).

These values are not actually used yet in this changeset.
2020-01-31 19:02:53 -06:00
Michael Lange 8a9b60f011 Call out the 'down' status too, since it's a pretty bad one 2020-01-31 12:56:15 -08:00
Michael Lange 38d23b5ba8 Add an animation for the initializing state 2020-01-31 12:56:11 -08:00
Michael Lange f00a50a55b Redo the node-status-light CSS to be icon-based 2020-01-31 12:56:08 -08:00
Michael Lange 536a597a92 New node initializing icon 2020-01-31 12:56:05 -08:00
Michael Lange 9dbdbc23dd Assign icons to node statuses 2020-01-31 12:56:02 -08:00
Michael Lange 89532e27e3 Add an icon inside the node status light 2020-01-31 12:55:59 -08:00
Michael Lange 0f8ea7d37a Allow for an icon within the node status light 2020-01-31 12:55:55 -08:00
Mahmood Ali 5983226cb9 Some fixes to connection pooling
Pick up some fixes from Consul:

* If a stream returns an EOF error, clear session from cache/pool and start a
new one.
* Close the codec when closing StreamClient
2020-01-31 15:31:16 -05:00
Mahmood Ali 5d992a6535
Merge pull request #7043 from hashicorp/b-collection-interval
Pass stats interval colleciton to executor
2020-01-31 15:03:30 -05:00
Mahmood Ali 68dbbc155d changelog 2020-01-31 14:22:08 -05:00
Mahmood Ali ac80d62c84 Pass stats interval colleciton to executor
This fixes a bug where executor based drivers emit stats every second,
regardless of user configuration.

When serializing the Stats request across grpc, the nomad agent dropped
the Interval value, and then executor uses 1s as a default value.
2020-01-31 14:17:15 -05:00
Michael Lange ef33a47553
Merge pull request #7028 from hashicorp/f-ui/node-drain-disable
UI: Disable client write actions when ACL token only allows client read
2020-01-31 10:20:06 -08:00
Mahmood Ali 60779a36e2
Merge pull request #7041 from tiangolo/patch-1
Use secret ID for NOMAD_TOKEN
2020-01-31 13:00:40 -05:00
Sebastián Ramírez 830ee3a693
Use secret ID for NOMAD_TOKEN
Use secret ID for NOMAD_TOKEN as the accessor ID doesn't seem to work.

I tried with a local micro cluster following the tutorials, and if I do:

```console
$ export NOMAD_TOKEN=85310d07-9afa-ef53-0933-0c043cd673c7
```

Using the accessor ID as in this example, I get an error:

```
Error querying jobs: Unexpected response code: 403 (ACL token not found)
```

But when using the secret ID in that env var it seems to work correctly.
2020-01-31 18:57:16 +01:00
Michael Lange 31b83b1c70 Acceptance test for disabled node write controls 2020-01-31 09:41:37 -08:00
Michael Lange 5c4c05824a Account for disabled ACLs in ability tests 2020-01-31 09:41:36 -08:00
Michael Lange 59897f9716 Handle the case where ACLs aren't enabled in abilities 2020-01-31 09:41:36 -08:00
Michael Lange 175f80da16 Fix token referencing from the token controller, as well as resetting 2020-01-31 09:41:35 -08:00
Michael Lange 9438330329 Add an explanatory tooltip to the unauthorized node drain popover 2020-01-31 09:41:33 -08:00
Michael Lange 4eac743262 Update disabled 'Run Job' button to use standard disabled style 2020-01-31 09:41:32 -08:00
Mahmood Ali 73200bfa69
Merge pull request #7010 from hashicorp/doc-bulk-20200129
Docs and Changelog catch up
2020-01-31 10:51:07 -05:00
Tim Gross 5d9783da79
hclfmt a test jobspec (#7011) 2020-01-31 08:04:03 -05:00
Michael Lange eb7d34df6b Disable options for popover and drain-popover 2020-01-30 21:29:29 -08:00
Michael Lange 1599b8b5fc Disabled button styles 2020-01-30 21:29:28 -08:00
Michael Lange cdd7a4fdb7 New disabled buttons story 2020-01-30 21:29:26 -08:00
Michael Lange 7c796a33a9 Refetch all ACL things when the token changes 2020-01-30 21:29:24 -08:00
Michael Lange c7af942652 Enable the eligibility toggle conditionally based on acls 2020-01-30 21:29:22 -08:00
Michael Lange 2dac1d6705 Refactor ability tests to use a setup hook for ability lookup 2020-01-30 21:29:21 -08:00
Michael Lange 1fae4083eb Add an ability for client permissions 2020-01-30 21:29:19 -08:00
Michael Schurter 1d8f1ee473
Merge pull request #7026 from hashicorp/post-0103
Post 0103
2020-01-30 15:25:26 -08:00
Michael Schurter 77bd6c0b9c docs: add v0.10.3 release to changelog 2020-01-30 15:24:33 -08:00
Michael Schurter 60e1ae5012 docs: bump 0.10.2 -> 0.10.3 2020-01-30 15:22:59 -08:00
Michael Schurter 54324bb91c
Merge pull request #7023 from hashicorp/b-tls-validation
Validate role and region for mTLS
2020-01-30 11:05:37 -08:00
Michael Schurter dd7712795d
Merge branch 'master' into b-tls-validation 2020-01-30 11:05:15 -08:00
Michael Schurter c7d63305b0
Merge pull request #7022 from hashicorp/f-handshake-deadlines-oss
core: add limits to unauthorized connections
2020-01-30 11:01:10 -08:00
Mahmood Ali a9f551542d Merge pull request #160 from hashicorp/b-mtls-hostname
server: validate role and region for RPC w/ mTLS
2020-01-30 12:59:17 -06:00
Michael Schurter 8d18b5d6be docs: document limits
Taken more or less verbatim from Consul.
2020-01-30 10:38:42 -08:00