-
Notifications
You must be signed in to change notification settings - Fork 4.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into fix-issuer-growing-list-maybe-from-vault
- Loading branch information
Showing
396 changed files
with
19,487 additions
and
3,720 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:enhancement | ||
raft: add an operator api endpoint and a command to initiate raft leadership transfer. | ||
``` |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:bug | ||
connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:bug | ||
connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:bug | ||
proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
```release-note:improvement | ||
api: updated the go module directive to 1.18. | ||
``` | ||
|
||
```release-note:improvement | ||
sdk: updated the go module directive to 1.18. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
```release-note:breaking-change | ||
config: update 1.14 config defaults: Enable `peering` and `connect` by default. | ||
``` | ||
|
||
```release-note:breaking-change | ||
config: update 1.14 config defaults: Set gRPC TLS port default value to 8503 | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvements | ||
acl: Allow reading imported services and nodes from cluster peers with read all permissions | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:bug | ||
connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:security | ||
Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints [CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920) | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:bug | ||
namespace: **(Enterprise Only)** Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
dns/peering: **(Enterprise Only)** Support addresses in the formats <servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul and <servicename>.virtual.<partition>.ap.<peername>.peer.consul. This longer form address that allows specifying `.peer` would need to be used for tproxy DNS requests made within non-default partitions for imported services. | ||
``` |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,5 @@ | ||
Copyright (c) 2013 HashiCorp, Inc. | ||
|
||
Mozilla Public License, version 2.0 | ||
|
||
1. Definitions | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,223 @@ | ||
package acl | ||
|
||
import "github.com/stretchr/testify/mock" | ||
|
||
type MockAuthorizer struct { | ||
mock.Mock | ||
} | ||
|
||
var _ Authorizer = (*MockAuthorizer)(nil) | ||
|
||
// ACLRead checks for permission to list all the ACLs | ||
func (m *MockAuthorizer) ACLRead(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// ACLWrite checks for permission to manipulate ACLs | ||
func (m *MockAuthorizer) ACLWrite(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// AgentRead checks for permission to read from agent endpoints for a | ||
// given node. | ||
func (m *MockAuthorizer) AgentRead(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// AgentWrite checks for permission to make changes via agent endpoints | ||
// for a given node. | ||
func (m *MockAuthorizer) AgentWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// EventRead determines if a specific event can be queried. | ||
func (m *MockAuthorizer) EventRead(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// EventWrite determines if a specific event may be fired. | ||
func (m *MockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// IntentionDefaultAllow determines the default authorized behavior | ||
// when no intentions match a Connect request. | ||
func (m *MockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// IntentionRead determines if a specific intention can be read. | ||
func (m *MockAuthorizer) IntentionRead(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// IntentionWrite determines if a specific intention can be | ||
// created, modified, or deleted. | ||
func (m *MockAuthorizer) IntentionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// KeyList checks for permission to list keys under a prefix | ||
func (m *MockAuthorizer) KeyList(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// KeyRead checks for permission to read a given key | ||
func (m *MockAuthorizer) KeyRead(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// KeyWrite checks for permission to write a given key | ||
func (m *MockAuthorizer) KeyWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// KeyWritePrefix checks for permission to write to an | ||
// entire key prefix. This means there must be no sub-policies | ||
// that deny a write. | ||
func (m *MockAuthorizer) KeyWritePrefix(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// KeyringRead determines if the encryption keyring used in | ||
// the gossip layer can be read. | ||
func (m *MockAuthorizer) KeyringRead(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// KeyringWrite determines if the keyring can be manipulated | ||
func (m *MockAuthorizer) KeyringWrite(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// NodeRead checks for permission to read (discover) a given node. | ||
func (m *MockAuthorizer) NodeRead(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
func (m *MockAuthorizer) NodeReadAll(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// NodeWrite checks for permission to create or update (register) a | ||
// given node. | ||
func (m *MockAuthorizer) NodeWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
func (m *MockAuthorizer) MeshRead(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
func (m *MockAuthorizer) MeshWrite(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// PeeringRead determines if the read-only Consul peering functions | ||
// can be used. | ||
func (m *MockAuthorizer) PeeringRead(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// PeeringWrite determines if the state-changing Consul peering | ||
// functions can be used. | ||
func (m *MockAuthorizer) PeeringWrite(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// OperatorRead determines if the read-only Consul operator functions | ||
// can be used. ret := m.Called(segment, ctx) | ||
func (m *MockAuthorizer) OperatorRead(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// OperatorWrite determines if the state-changing Consul operator | ||
// functions can be used. | ||
func (m *MockAuthorizer) OperatorWrite(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// PreparedQueryRead determines if a specific prepared query can be read | ||
// to show its contents (this is not used for execution). | ||
func (m *MockAuthorizer) PreparedQueryRead(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// PreparedQueryWrite determines if a specific prepared query can be | ||
// created, modified, or deleted. | ||
func (m *MockAuthorizer) PreparedQueryWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// ServiceRead checks for permission to read a given service | ||
func (m *MockAuthorizer) ServiceRead(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
func (m *MockAuthorizer) ServiceReadAll(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// ServiceWrite checks for permission to create or update a given | ||
// service | ||
func (m *MockAuthorizer) ServiceWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// ServiceWriteAny checks for service:write on any service | ||
func (m *MockAuthorizer) ServiceWriteAny(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// SessionRead checks for permission to read sessions for a given node. | ||
func (m *MockAuthorizer) SessionRead(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// SessionWrite checks for permission to create sessions for a given | ||
// node. | ||
func (m *MockAuthorizer) SessionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(segment, ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
// Snapshot checks for permission to take and restore snapshots. | ||
func (m *MockAuthorizer) Snapshot(ctx *AuthorizerContext) EnforcementDecision { | ||
ret := m.Called(ctx) | ||
return ret.Get(0).(EnforcementDecision) | ||
} | ||
|
||
func (p *MockAuthorizer) ToAllowAuthorizer() AllowAuthorizer { | ||
return AllowAuthorizer{Authorizer: p} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.