luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

connect/ca: more OSS split for multi-dc

This commit is contained in:
Kyle Havlovitz 2018-09-28 03:47:37 -07:00
parent 6d5160c139
commit 0cbd176a48
5 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
agent/consul/connect_ca_endpoint.go
View File

@ -120,7 +120,10 @@ func (s *ConnectCA) ConfigurationSet(
return err return err
} }
if root != nil && root.ID == newActiveRoot.ID { // If the root didn't change or if this is a secondary DC, just update the
// config and return.
if (s.srv.config.Datacenter != s.srv.config.PrimaryDatacenter) ||
root != nil && root.ID == newActiveRoot.ID {
args.Op = structs.CAOpSetConfig args.Op = structs.CAOpSetConfig
resp, err := s.srv.raftApply(structs.ConnectCARequestType, args) resp, err := s.srv.raftApply(structs.ConnectCARequestType, args)
if err != nil { if err != nil {

4
agent/consul/leader.go
View File

@ -227,6 +227,8 @@ func (s *Server) establishLeadership() error {
return err return err
} }
s.startEnterpriseLeader()
s.startCARootPruning() s.startCARootPruning()
s.setConsistentReadReady() s.setConsistentReadReady()
@ -245,6 +247,8 @@ func (s *Server) revokeLeadership() error {
return err return err
} }
s.stopEnterpriseLeader()
s.stopCARootPruning() s.stopCARootPruning()
s.setCAProvider(nil, nil) s.setCAProvider(nil, nil)

4
agent/consul/leader_oss.go
View File

@ -23,3 +23,7 @@ func (s *Server) initializeCA() error {
return s.initializeRootCA(provider, conf) return s.initializeRootCA(provider, conf)
} }
// Stub methods, only present in Consul Enterprise.
func (s *Server) startEnterpriseLeader() {}
func (s *Server) stopEnterpriseLeader() {}

9
agent/consul/server.go
View File

@ -274,6 +274,15 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store) (*
config.UseTLS = true config.UseTLS = true
} }
// Set the primary DC if it wasn't set.
if config.PrimaryDatacenter == "" {
if config.ACLDatacenter != "" {
config.PrimaryDatacenter = config.ACLDatacenter
} else {
config.PrimaryDatacenter = config.Datacenter
}
}
// Create the TLS wrapper for outgoing connections. // Create the TLS wrapper for outgoing connections.
tlsConf := config.tlsConfig() tlsConf := config.tlsConfig()
tlsWrap, err := tlsConf.OutgoingTLSWrapper() tlsWrap, err := tlsConf.OutgoingTLSWrapper()

2
website/source/docs/agent/options.html.md
View File

@ -498,7 +498,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
#### Configuration Key Reference #### Configuration Key Reference
* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - **This field is * <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - **This field is
deprecated in Consul 1.3.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**
This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients, This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients,
it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement