From 0cbd176a487667efac37b261435b98ed9bb3e1e5 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Fri, 28 Sep 2018 03:47:37 -0700 Subject: [PATCH] connect/ca: more OSS split for multi-dc --- agent/consul/connect_ca_endpoint.go | 5 ++++- agent/consul/leader.go | 4 ++++ agent/consul/leader_oss.go | 4 ++++ agent/consul/server.go | 9 +++++++++ website/source/docs/agent/options.html.md | 2 +- 5 files changed, 22 insertions(+), 2 deletions(-) diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go index 1a27bd522..f0bd6cf21 100644 --- a/agent/consul/connect_ca_endpoint.go +++ b/agent/consul/connect_ca_endpoint.go @@ -120,7 +120,10 @@ func (s *ConnectCA) ConfigurationSet( return err } - if root != nil && root.ID == newActiveRoot.ID { + // If the root didn't change or if this is a secondary DC, just update the + // config and return. + if (s.srv.config.Datacenter != s.srv.config.PrimaryDatacenter) || + root != nil && root.ID == newActiveRoot.ID { args.Op = structs.CAOpSetConfig resp, err := s.srv.raftApply(structs.ConnectCARequestType, args) if err != nil { diff --git a/agent/consul/leader.go b/agent/consul/leader.go index ba1313989..ce3961193 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -227,6 +227,8 @@ func (s *Server) establishLeadership() error { return err } + s.startEnterpriseLeader() + s.startCARootPruning() s.setConsistentReadReady() @@ -245,6 +247,8 @@ func (s *Server) revokeLeadership() error { return err } + s.stopEnterpriseLeader() + s.stopCARootPruning() s.setCAProvider(nil, nil) diff --git a/agent/consul/leader_oss.go b/agent/consul/leader_oss.go index 3ec519045..c1f696869 100644 --- a/agent/consul/leader_oss.go +++ b/agent/consul/leader_oss.go @@ -23,3 +23,7 @@ func (s *Server) initializeCA() error { return s.initializeRootCA(provider, conf) } + +// Stub methods, only present in Consul Enterprise. +func (s *Server) startEnterpriseLeader() {} +func (s *Server) stopEnterpriseLeader() {} diff --git a/agent/consul/server.go b/agent/consul/server.go index fefb11f61..94bc01e8d 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -274,6 +274,15 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store) (* config.UseTLS = true } + // Set the primary DC if it wasn't set. + if config.PrimaryDatacenter == "" { + if config.ACLDatacenter != "" { + config.PrimaryDatacenter = config.ACLDatacenter + } else { + config.PrimaryDatacenter = config.Datacenter + } + } + // Create the TLS wrapper for outgoing connections. tlsConf := config.tlsConfig() tlsWrap, err := tlsConf.OutgoingTLSWrapper() diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index d28b94619..afa51d85a 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -498,7 +498,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass #### Configuration Key Reference * `acl_datacenter` - **This field is - deprecated in Consul 1.3.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** + deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients, it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement