luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Merge pull request #4917 from hashicorp/replication-token-cleanup 

Use acl replication_token for connect
This commit is contained in:
Kyle Havlovitz 2018-11-12 09:12:54 -08:00 committed by GitHub
parent 16f843bdf4 69a8d149d5
commit b0dcf54e50
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 54 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
agent/config/builder.go
View File

@ -756,6 +756,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
ConnectProxyDefaultDaemonCommand: proxyDefaultDaemonCommand,
ConnectProxyDefaultScriptCommand: proxyDefaultScriptCommand,
ConnectProxyDefaultConfig: proxyDefaultConfig,
ConnectReplicationToken: b.stringVal(c.ACL.Tokens.Replication),
DataDir: b.stringVal(c.DataDir),
Datacenter: datacenter,
DevMode: b.boolVal(b.Flags.DevMode),

1
agent/config/config.go
View File

@ -504,7 +504,6 @@ type Connect struct {
ProxyDefaults ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"`
CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"`
ReplicationToken *string `json:"replication_token,omitempty" hcl:"replication_token" mapstructure:"replication_token"`
}
// ConnectProxy is the agent-global connect proxy configuration.

1
agent/config/runtime_test.go
View File

@ -4143,6 +4143,7 @@ func TestFullConfig(t *testing.T) {
"connect_timeout_ms": float64(1000),
"pedantic_mode": true,
},
ConnectReplicationToken: "5795983a",
DNSAddrs: []net.Addr{tcpAddr("93.95.95.81:7001"), udpAddr("93.95.95.81:7001")},
DNSARecordLimit: 29907,
DNSAllowStale: true,

8
website/source/docs/agent/options.html.md
View File

@ -590,8 +590,10 @@ default will automatically work with some tooling.
The ACL token used to authorize secondary datacenters with the primary datacenter for replication
operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when
ACLs are enabled. This token may be provided later using the [agent token API](/api/agent.html#update-acl-tokens)
on each server. If the `replication` token is set in the config. This token must have at least "read" permissions
on ACL data but if ACL token replication is enabled then it must have "write" permissions.
on each server. This token must have at least "read" permissions on ACL data but if ACL
token replication is enabled then it must have "write" permissions. This also enables
Connect replication in Consul Enterprise, for which the token will require both operator
"write" and intention "read" permissions for replicating CA and Intention data.
* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - **This field is
deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**
@ -865,8 +867,6 @@ default will automatically work with some tooling.
* <a name="connect_proxy_defaults"></a><a href="#connect_proxy_defaults">`proxy_defaults`</a> [**Deprecated**](/docs/connect/proxies/managed-deprecated.html) This object configures the default proxy settings for service definitions with [managed proxies](/docs/connect/proxies/managed-deprecated.html) (now deprecated). It accepts the fields `exec_mode`, `daemon_command`, and `config`. These are used as default values for the respective fields in the service definition.
* <a name="replication_token"></a><a href="#replication_token">`replication_token`</a> When provided, this will enable Connect replication using this token to retrieve and replicate the Intentions to the non-authoritative local datacenter.
* <a name="datacenter"></a><a href="#datacenter">`datacenter`</a> Equivalent to the
[`-datacenter` command-line flag](#_datacenter).