From 60bb53d4e66cf78632f0453fa4253ac7a38652e1 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Wed, 7 Nov 2018 02:15:37 -0800 Subject: [PATCH 1/3] config: remote connect replication_token --- agent/config/builder.go | 1 + agent/config/config.go | 11 +++++------ agent/config/runtime_test.go | 1 + website/source/docs/agent/options.html.md | 4 ++-- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/agent/config/builder.go b/agent/config/builder.go index 0291b2a67..01040fb76 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -756,6 +756,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { ConnectProxyDefaultDaemonCommand: proxyDefaultDaemonCommand, ConnectProxyDefaultScriptCommand: proxyDefaultScriptCommand, ConnectProxyDefaultConfig: proxyDefaultConfig, + ConnectReplicationToken: b.stringVal(c.ACL.Tokens.Replication), DataDir: b.stringVal(c.DataDir), Datacenter: datacenter, DevMode: b.boolVal(b.Flags.DevMode), diff --git a/agent/config/config.go b/agent/config/config.go index 804e80507..e71aaa1d0 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -499,12 +499,11 @@ type Upstream struct { type Connect struct { // Enabled opts the agent into connect. It should be set on all clients and // servers in a cluster for correct connect operation. - Enabled *bool `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"` - Proxy ConnectProxy `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"` - ProxyDefaults ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"` - CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"` - CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"` - ReplicationToken *string `json:"replication_token,omitempty" hcl:"replication_token" mapstructure:"replication_token"` + Enabled *bool `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"` + Proxy ConnectProxy `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"` + ProxyDefaults ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"` + CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"` + CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"` } // ConnectProxy is the agent-global connect proxy configuration. diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index fe286bdf1..f318448c7 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -4143,6 +4143,7 @@ func TestFullConfig(t *testing.T) { "connect_timeout_ms": float64(1000), "pedantic_mode": true, }, + ConnectReplicationToken: "5795983a", DNSAddrs: []net.Addr{tcpAddr("93.95.95.81:7001"), udpAddr("93.95.95.81:7001")}, DNSARecordLimit: 29907, DNSAllowStale: true, diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index 2fa011a6a..b868991f7 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -592,6 +592,8 @@ default will automatically work with some tooling. ACLs are enabled. This token may be provided later using the [agent token API](/api/agent.html#update-acl-tokens) on each server. If the `replication` token is set in the config. This token must have at least "read" permissions on ACL data but if ACL token replication is enabled then it must have "write" permissions. + This also enables Connect replication in Consul Enterprise, for which the token will require + both operator "write" and intention "read" permissions for replicating CA and Intention data. * `acl_datacenter` - **This field is deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** @@ -865,8 +867,6 @@ default will automatically work with some tooling. * `proxy_defaults` [**Deprecated**](/docs/connect/proxies/managed-deprecated.html) This object configures the default proxy settings for service definitions with [managed proxies](/docs/connect/proxies/managed-deprecated.html) (now deprecated). It accepts the fields `exec_mode`, `daemon_command`, and `config`. These are used as default values for the respective fields in the service definition. - * `replication_token` When provided, this will enable Connect replication using this token to retrieve and replicate the Intentions to the non-authoritative local datacenter. - * `datacenter` Equivalent to the [`-datacenter` command-line flag](#_datacenter). From 1a4204f363f9d8dfe510f709f1d6431c26a0e676 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Wed, 7 Nov 2018 02:16:03 -0800 Subject: [PATCH 2/3] agent: fix formatting --- agent/connect/ca/provider_consul.go | 6 ++-- agent/connect/testing_ca.go | 6 ++-- agent/consul/state/prepared_query_test.go | 4 +-- agent/structs/check_definition.go | 30 ++++++++--------- agent/structs/check_definition_test.go | 40 +++++++++++------------ 5 files changed, 43 insertions(+), 43 deletions(-) diff --git a/agent/connect/ca/provider_consul.go b/agent/connect/ca/provider_consul.go index c4141ed48..8971d5cd9 100644 --- a/agent/connect/ca/provider_consul.go +++ b/agent/connect/ca/provider_consul.go @@ -623,9 +623,9 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error serialNum := &big.Int{} serialNum.SetUint64(sn) template := x509.Certificate{ - SerialNumber: serialNum, - Subject: pkix.Name{CommonName: name}, - URIs: []*url.URL{id.URI()}, + SerialNumber: serialNum, + Subject: pkix.Name{CommonName: name}, + URIs: []*url.URL{id.URI()}, BasicConstraintsValid: true, KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign | diff --git a/agent/connect/testing_ca.go b/agent/connect/testing_ca.go index 67babf866..27a0dd20a 100644 --- a/agent/connect/testing_ca.go +++ b/agent/connect/testing_ca.go @@ -53,9 +53,9 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot { // Create the CA cert template := x509.Certificate{ - SerialNumber: sn, - Subject: pkix.Name{CommonName: result.Name}, - URIs: []*url.URL{id.URI()}, + SerialNumber: sn, + Subject: pkix.Name{CommonName: result.Name}, + URIs: []*url.URL{id.URI()}, BasicConstraintsValid: true, KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign | diff --git a/agent/consul/state/prepared_query_test.go b/agent/consul/state/prepared_query_test.go index 8a832bd88..44495819e 100644 --- a/agent/consul/state/prepared_query_test.go +++ b/agent/consul/state/prepared_query_test.go @@ -11,8 +11,8 @@ import ( func TestStateStore_PreparedQuery_isUUID(t *testing.T) { cases := map[string]bool{ - "": false, - "nope": false, + "": false, + "nope": false, "f004177f-2c28-83b7-4229-eacc25fe55d1": true, "F004177F-2C28-83B7-4229-EACC25FE55D1": true, "x004177f-2c28-83b7-4229-eacc25fe55d1": false, // Bad hex diff --git a/agent/structs/check_definition.go b/agent/structs/check_definition.go index 42e9692fc..4252b4449 100644 --- a/agent/structs/check_definition.go +++ b/agent/structs/check_definition.go @@ -64,21 +64,21 @@ func (c *CheckDefinition) CheckType() *CheckType { Status: c.Status, Notes: c.Notes, - ScriptArgs: c.ScriptArgs, - AliasNode: c.AliasNode, - AliasService: c.AliasService, - HTTP: c.HTTP, - GRPC: c.GRPC, - GRPCUseTLS: c.GRPCUseTLS, - Header: c.Header, - Method: c.Method, - TCP: c.TCP, - Interval: c.Interval, - DockerContainerID: c.DockerContainerID, - Shell: c.Shell, - TLSSkipVerify: c.TLSSkipVerify, - Timeout: c.Timeout, - TTL: c.TTL, + ScriptArgs: c.ScriptArgs, + AliasNode: c.AliasNode, + AliasService: c.AliasService, + HTTP: c.HTTP, + GRPC: c.GRPC, + GRPCUseTLS: c.GRPCUseTLS, + Header: c.Header, + Method: c.Method, + TCP: c.TCP, + Interval: c.Interval, + DockerContainerID: c.DockerContainerID, + Shell: c.Shell, + TLSSkipVerify: c.TLSSkipVerify, + Timeout: c.Timeout, + TTL: c.TTL, DeregisterCriticalServiceAfter: c.DeregisterCriticalServiceAfter, } } diff --git a/agent/structs/check_definition_test.go b/agent/structs/check_definition_test.go index af240aa95..928a400bd 100644 --- a/agent/structs/check_definition_test.go +++ b/agent/structs/check_definition_test.go @@ -81,17 +81,17 @@ func TestCheckDefinitionToCheckType(t *testing.T) { Status: "green", Notes: "notes", - ServiceID: "svcid", - Token: "tok", - ScriptArgs: []string{"/bin/foo"}, - HTTP: "someurl", - TCP: "host:port", - Interval: 1 * time.Second, - DockerContainerID: "abc123", - Shell: "/bin/ksh", - TLSSkipVerify: true, - Timeout: 2 * time.Second, - TTL: 3 * time.Second, + ServiceID: "svcid", + Token: "tok", + ScriptArgs: []string{"/bin/foo"}, + HTTP: "someurl", + TCP: "host:port", + Interval: 1 * time.Second, + DockerContainerID: "abc123", + Shell: "/bin/ksh", + TLSSkipVerify: true, + Timeout: 2 * time.Second, + TTL: 3 * time.Second, DeregisterCriticalServiceAfter: 4 * time.Second, } want := &CheckType{ @@ -100,15 +100,15 @@ func TestCheckDefinitionToCheckType(t *testing.T) { Status: "green", Notes: "notes", - ScriptArgs: []string{"/bin/foo"}, - HTTP: "someurl", - TCP: "host:port", - Interval: 1 * time.Second, - DockerContainerID: "abc123", - Shell: "/bin/ksh", - TLSSkipVerify: true, - Timeout: 2 * time.Second, - TTL: 3 * time.Second, + ScriptArgs: []string{"/bin/foo"}, + HTTP: "someurl", + TCP: "host:port", + Interval: 1 * time.Second, + DockerContainerID: "abc123", + Shell: "/bin/ksh", + TLSSkipVerify: true, + Timeout: 2 * time.Second, + TTL: 3 * time.Second, DeregisterCriticalServiceAfter: 4 * time.Second, } verify.Values(t, "", got.CheckType(), want) From 69a8d149d520123778009e7fd6ab17e426b2cc5f Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Wed, 7 Nov 2018 09:22:23 -0800 Subject: [PATCH 3/3] docs: remove leftover typo from replication_token info --- website/source/docs/agent/options.html.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index b868991f7..734465e72 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -590,10 +590,10 @@ default will automatically work with some tooling. The ACL token used to authorize secondary datacenters with the primary datacenter for replication operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when ACLs are enabled. This token may be provided later using the [agent token API](/api/agent.html#update-acl-tokens) - on each server. If the `replication` token is set in the config. This token must have at least "read" permissions - on ACL data but if ACL token replication is enabled then it must have "write" permissions. - This also enables Connect replication in Consul Enterprise, for which the token will require - both operator "write" and intention "read" permissions for replicating CA and Intention data. + on each server. This token must have at least "read" permissions on ACL data but if ACL + token replication is enabled then it must have "write" permissions. This also enables + Connect replication in Consul Enterprise, for which the token will require both operator + "write" and intention "read" permissions for replicating CA and Intention data. * `acl_datacenter` - **This field is deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**