hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Other
28.37k stars 4.42k forks source link

intention: cannot modify intention created with CLI after modification from web UI #11353

Open bcatubig opened 3 years ago

bcatubig commented 3 years ago

Overview of the Issue

When trying to modify an intention created with the cli through the web interface, a 500 error is returned and the intention is not able to be modified by the cli.

Reproduction Steps

the following example used the counting and counting-dashboard examples found in the consul tutorial

  1. Create a new intention

    consul intention create dashboard counting
  2. Modify the dashboard => counting intention in the consul web UI from allow to deny
  3. Attempt to modify the dashboard => counting intention from the cli

    consul intention create -deny -replace dashboard counting

Consul info for both Client and Server

Client info ``` ➜ ~ consul info agent: check_monitors = 0 check_ttls = 0 checks = 6 services = 6 build: prerelease = revision = c976ffd2 version = 1.10.3 consul: acl = disabled bootstrap = false known_datacenters = 1 leader = true leader_addr = 127.0.0.1:8300 server = true raft: applied_index = 154 commit_index = 154 fsm_pending = 0 last_contact = 0 last_log_index = 154 last_log_term = 2 last_snapshot_index = 0 last_snapshot_term = 0 latest_configuration = [{Suffrage:Voter ID:3b257ac5-76f6-f00c-9926-fb996cfdf86a Address:127.0.0.1:8300}] latest_configuration_index = 0 num_peers = 0 protocol_version = 3 protocol_version_max = 3 protocol_version_min = 0 snapshot_version_max = 1 snapshot_version_min = 0 state = Leader term = 2 runtime: arch = amd64 cpu_count = 16 goroutines = 164 max_procs = 16 os = darwin version = go1.16.7 serf_lan: coordinate_resets = 0 encrypted = false event_queue = 1 event_time = 2 failed = 0 health_score = 0 intent_queue = 0 left = 0 member_time = 1 members = 1 query_queue = 0 query_time = 1 serf_wan: coordinate_resets = 0 encrypted = false event_queue = 0 event_time = 1 failed = 0 health_score = 0 intent_queue = 0 left = 0 member_time = 1 members = 1 query_queue = 0 query_time = 1 ```
Server info ``` output from server 'consul info' command here ```

Operating system and Environment details

OS, Architecture, and any other information you can provide about the environment.

Log Fragments

after modifying the intention in the web ui

➜  ~ consul intention create -deny -replace dashboard counting
Error replacing intention with source "dashboard" and destination "counting": Unexpected response code: 500 (Intention lookup failed: failed config entry lookup: index error: UUID must be 36 characters)

a different error if omitting the -replace flag

➜  ~ consul intention create -deny dashboard counting
Error creating intention "dashboard => counting (deny)": Unexpected response code: 500 (cannot use legacy intention API to edit intentions with a destination of "counting" after editing them via a service-intentions config entry)

server log from cli call to modify intention

2021-10-19T14:41:24.744-0700 [DEBUG] agent.http: Request finished: method=GET url=/v1/connect/intentions/exact?destination=counting&source=dashboard from=127.0.0.1:53422 latency=89.901µs
2021-10-19T14:41:24.745-0700 [ERROR] agent.http: Request error: method=PUT url=/v1/connect/intentions/ from=127.0.0.1:53422 error="Intention lookup failed: failed config entry lookup: index error: UUID must be 36 characters"
2021-10-19T14:41:24.745-0700 [DEBUG] agent.http: Request finished: method=PUT url=/v1/connect/intentions/ from=127.0.0.1:53422 latency=73.32µs
boxofrad commented 3 years ago

Hi @bcatubig 👋🏻

Thanks for the report! It seems that our Learn guide on this topic is out-of-date, I’ll follow that up.

As of Consul v1.9.0, the canonical way to create intentions is via a config entry. The consul intention create CLI command and backing API endpoint are deprecated, and unfortunately modifying the intention via the UI leaves it in a state where it can no longer be managed by the previous method (more here).

johncowen commented 2 years ago

@boxofrad sounds like I can remove the ui label from here? What do you think?

johncowen commented 2 years ago

I just caught up with @blake, and we decided that we could remove the ui label here.