open-consul/command/config/config.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package config

import (
	"github.com/hashicorp/consul/api"
	"github.com/hashicorp/consul/command/flags"
	"github.com/mitchellh/cli"
)

func New() *cmd {
	return &cmd{}
}

type cmd struct{}

func (c *cmd) Run(args []string) int {
	return cli.RunResultHelp
}

func (c *cmd) Synopsis() string {
	return synopsis
}

func (c *cmd) Help() string {
	return flags.Usage(help, nil)
}

const synopsis = "Interact with Consul's Centralized Configurations"
const help = `
Usage: consul config <subcommand> [options] [args]

  This command has subcommands for interacting with Consul's Centralized
  Configuration system. Here are some simple examples, and more detailed
  examples are available in the subcommands or the documentation.

  Write a config:

    $ consul config write web.serviceconf.hcl

  Read a config:

    $ consul config read -kind service-defaults -name web

  List all configs for a type:

    $ consul config list -kind service-defaults

  Delete a config:

    $ consul config delete -kind service-defaults -name web

  For more examples, ask for subcommand help or view the documentation.
`

const (
	// TODO(pglass): These warnings can go away when the UI provides visibility into
	// permissive mTLS settings (expected 1.17).
	WarningServiceDefaultsPermissiveMTLS = "MutualTLSMode=permissive is insecure. " +
		"Set to `strict` when your service no longer needs to accept non-mTLS " +
		"traffic. Check `tcp.permissive_public_listener` metrics in Envoy for " +
		"non-mTLS traffic. Refer to Consul documentation for more information."

	WarningProxyDefaultsPermissiveMTLS = "MutualTLSMode=permissive is insecure. " +
		"To keep your services secure, set MutualTLSMode to `strict` whenever possible " +
		"and override with service-defaults only if necessary. To check which " +
		"service-defaults are currently in permissive mode, run `consul config list " +
		"-kind service-defaults -filter 'MutualTLSMode = \"permissive\"'`."

	WarningMeshAllowEnablingPermissiveMutualTLS = "AllowEnablingPermissiveMutualTLS=true " +
		"allows insecure MutualTLSMode=permissive configurations in the proxy-defaults " +
		"and service-defaults config entries. You can set " +
		"AllowEnablingPermissiveMutualTLS=false at any time to disallow additional " +
		"permissive configurations. To list services in permissive mode, run `consul " +
		"config list -kind service-defaults -filter 'MutualTLSMode = \"permissive\"'`."
)

// KindSpecificWriteWarning returns a warning message for the given config
// entry write. Use this to inform the user of (un)recommended settings when
// they read or write config entries with the CLI.
//
// Do not return a warning on default/zero values. Because the config
// entry is parsed, we cannot distinguish between an absent field in the
// user-provided content and a zero value, so we'd end up warning on
// every invocation.
func KindSpecificWriteWarning(reqEntry api.ConfigEntry) string {
	switch req := reqEntry.(type) {
	case *api.ServiceConfigEntry:
		if req.MutualTLSMode == api.MutualTLSModePermissive {
			return WarningServiceDefaultsPermissiveMTLS
		}
	case *api.ProxyConfigEntry:
		if req.MutualTLSMode == api.MutualTLSModePermissive {
			return WarningProxyDefaultsPermissiveMTLS
		}
	case *api.MeshConfigEntry:
		if req.AllowEnablingPermissiveMutualTLS == true {
			return WarningMeshAllowEnablingPermissiveMutualTLS
		}
	}
	return ""
}
Copyright headers for command folder (#16705) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files * copyright headers for agent folder * Copyright headers for command folder * fix merge conflicts 2023-03-28 19:12:30 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import 2019-04-30 23:27:16 +00:00			`package config`

			`import (`
Permissive mTLS: Config entry filtering and CLI warnings (#17183) This adds filtering for service-defaults: consul config list -filter 'MutualTLSMode == "permissive"'. It adds CLI warnings when the CLI writes a config entry and sees that either service-defaults or proxy-defaults contains MutualTLSMode=permissive, or sees that the mesh config entry contains AllowEnablingPermissiveMutualTLSMode=true. 2023-04-28 17:51:36 +00:00			`"github.com/hashicorp/consul/api"`
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import 2019-04-30 23:27:16 +00:00			`"github.com/hashicorp/consul/command/flags"`
			`"github.com/mitchellh/cli"`
			`)`

			`func New() *cmd {`
			`return &cmd{}`
			`}`

			`type cmd struct{}`

			`func (c *cmd) Run(args []string) int {`
			`return cli.RunResultHelp`
			`}`

			`func (c *cmd) Synopsis() string {`
			`return synopsis`
			`}`

			`func (c *cmd) Help() string {`
			`return flags.Usage(help, nil)`
			`}`

			`const synopsis = "Interact with Consul's Centralized Configurations"`
			const help = `
			`Usage: consul config <subcommand> [options] [args]`

			`This command has subcommands for interacting with Consul's Centralized`
			`Configuration system. Here are some simple examples, and more detailed`
			`examples are available in the subcommands or the documentation.`

adding new config entries for L7 discovery chain (unused) (#5987) 2019-06-27 17:37:43 +00:00			`Write a config:`
Centralized Config CLI (#5731) * Add HTTP endpoints for config entry management * Finish implementing decoding in the HTTP Config entry apply endpoint * Add CAS operation to the config entry apply endpoint Also use this for the bootstrapping and move the config entry decoding function into the structs package. * First pass at the API client for the config entries * Fixup some of the ConfigEntry APIs Return a singular response object instead of a list for the ConfigEntry.Get RPC. This gets plumbed through the HTTP API as well. Dont return QueryMeta in the JSON response for the config entry listing HTTP API. Instead just return a list of config entries. * Minor API client fixes * Attempt at some ConfigEntry api client tests These don’t currently work due to weak typing in JSON * Get some of the api client tests passing * Implement reflectwalk magic to correct JSON encoding a ProxyConfigEntry Also added a test for the HTTP endpoint that exposes the problem. However, since the test doesn’t actually do the JSON encode/decode its still failing. * Move MapWalk magic into a binary marshaller instead of JSON. * Add a MapWalk test * Get rid of unused func * Get rid of unused imports * Fixup some tests now that the decoding from msgpack coerces things into json compat types * Stub out most of the central config cli Fully implement the config read command. * Basic config delete command implementation * Implement config write command * Implement config list subcommand Not entirely sure about the output here. Its basically the read output indented with a line specifying the kind/name of each type which is also duplicated in the indented output. * Update command usage * Update some help usage formatting * Add the connect enable helper cli command * Update list command output * Rename the config entry API client methods. * Use renamed apis * Implement config write tests Stub the others with the noTabs tests. * Change list output format Now just simply output 1 line per named config * Add config read tests * Add invalid args write test. * Add config delete tests * Add config list tests * Add connect enable tests * Update some CLI commands to use CAS ops This also modifies the HTTP API for a write op to return a boolean indicating whether the value was written or not. * Fix up the HTTP API CAS tests as I realized they weren’t testing what they should. * Update config entry rpc tests to properly test CAS * Fix up a few more tests * Fix some tests that using ConfigEntries.Apply * Update config_write_test.go * Get rid of unused import 2019-04-30 23:27:16 +00:00
			`$ consul config write web.serviceconf.hcl`

			`Read a config:`

			`$ consul config read -kind service-defaults -name web`

			`List all configs for a type:`

			`$ consul config list -kind service-defaults`

			`Delete a config:`

			`$ consul config delete -kind service-defaults -name web`

			`For more examples, ask for subcommand help or view the documentation.`
			`
Permissive mTLS: Config entry filtering and CLI warnings (#17183) This adds filtering for service-defaults: consul config list -filter 'MutualTLSMode == "permissive"'. It adds CLI warnings when the CLI writes a config entry and sees that either service-defaults or proxy-defaults contains MutualTLSMode=permissive, or sees that the mesh config entry contains AllowEnablingPermissiveMutualTLSMode=true. 2023-04-28 17:51:36 +00:00
			`const (`
			`// TODO(pglass): These warnings can go away when the UI provides visibility into`
			`// permissive mTLS settings (expected 1.17).`
			`WarningServiceDefaultsPermissiveMTLS = "MutualTLSMode=permissive is insecure. " +`
			"Set to `strict` when your service no longer needs to accept non-mTLS " +
			"traffic. Check `tcp.permissive_public_listener` metrics in Envoy for " +
			`"non-mTLS traffic. Refer to Consul documentation for more information."`

			`WarningProxyDefaultsPermissiveMTLS = "MutualTLSMode=permissive is insecure. " +`
			"To keep your services secure, set MutualTLSMode to `strict` whenever possible " +
			`"and override with service-defaults only if necessary. To check which " +`
			"service-defaults are currently in permissive mode, run `consul config list " +
			"-kind service-defaults -filter 'MutualTLSMode = \"permissive\"'`."

			`WarningMeshAllowEnablingPermissiveMutualTLS = "AllowEnablingPermissiveMutualTLS=true " +`
			`"allows insecure MutualTLSMode=permissive configurations in the proxy-defaults " +`
			`"and service-defaults config entries. You can set " +`
			`"AllowEnablingPermissiveMutualTLS=false at any time to disallow additional " +`
			"permissive configurations. To list services in permissive mode, run `consul " +
			"config list -kind service-defaults -filter 'MutualTLSMode = \"permissive\"'`."
			`)`

			`// KindSpecificWriteWarning returns a warning message for the given config`
			`// entry write. Use this to inform the user of (un)recommended settings when`
			`// they read or write config entries with the CLI.`
			`//`
			`// Do not return a warning on default/zero values. Because the config`
			`// entry is parsed, we cannot distinguish between an absent field in the`
			`// user-provided content and a zero value, so we'd end up warning on`
			`// every invocation.`
			`func KindSpecificWriteWarning(reqEntry api.ConfigEntry) string {`
			`switch req := reqEntry.(type) {`
			`case *api.ServiceConfigEntry:`
			`if req.MutualTLSMode == api.MutualTLSModePermissive {`
			`return WarningServiceDefaultsPermissiveMTLS`
			`}`
			`case *api.ProxyConfigEntry:`
			`if req.MutualTLSMode == api.MutualTLSModePermissive {`
			`return WarningProxyDefaultsPermissiveMTLS`
			`}`
			`case *api.MeshConfigEntry:`
			`if req.AllowEnablingPermissiveMutualTLS == true {`
			`return WarningMeshAllowEnablingPermissiveMutualTLS`
			`}`
			`}`
			`return ""`
			`}`