Merge pull request #4917 from hashicorp/replication-token-cleanup

Use acl replication_token for connect

agent/config/builder.go

@@ -756,6 +756,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
 		ConnectProxyDefaultDaemonCommand:        proxyDefaultDaemonCommand,
 		ConnectProxyDefaultScriptCommand:        proxyDefaultScriptCommand,
 		ConnectProxyDefaultConfig:               proxyDefaultConfig,
+		ConnectReplicationToken:                 b.stringVal(c.ACL.Tokens.Replication),
 		DataDir:                                 b.stringVal(c.DataDir),
 		Datacenter:                              datacenter,
 		DevMode:                                 b.boolVal(b.Flags.DevMode),

agent/config/config.go

@@ -499,12 +499,11 @@ type Upstream struct {
 type Connect struct {
 	// Enabled opts the agent into connect. It should be set on all clients and
 	// servers in a cluster for correct connect operation.
-	Enabled          *bool                  `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"`
-	Proxy            ConnectProxy           `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"`
-	ProxyDefaults    ConnectProxyDefaults   `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
-	CAProvider       *string                `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"`
-	CAConfig         map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"`
-	ReplicationToken *string                `json:"replication_token,omitempty" hcl:"replication_token" mapstructure:"replication_token"`
+	Enabled       *bool                  `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"`
+	Proxy         ConnectProxy           `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"`
+	ProxyDefaults ConnectProxyDefaults   `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
+	CAProvider    *string                `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"`
+	CAConfig      map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"`
 }
 
 // ConnectProxy is the agent-global connect proxy configuration.

agent/config/runtime_test.go

@@ -4143,6 +4143,7 @@ func TestFullConfig(t *testing.T) {
 			"connect_timeout_ms": float64(1000),
 			"pedantic_mode":      true,
 		},
+		ConnectReplicationToken:          "5795983a",
 		DNSAddrs:                         []net.Addr{tcpAddr("93.95.95.81:7001"), udpAddr("93.95.95.81:7001")},
 		DNSARecordLimit:                  29907,
 		DNSAllowStale:                    true,

agent/connect/ca/provider_consul.go

@@ -623,9 +623,9 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error
 	serialNum := &big.Int{}
 	serialNum.SetUint64(sn)
 	template := x509.Certificate{
-		SerialNumber: serialNum,
-		Subject:      pkix.Name{CommonName: name},
-		URIs:         []*url.URL{id.URI()},
+		SerialNumber:          serialNum,
+		Subject:               pkix.Name{CommonName: name},
+		URIs:                  []*url.URL{id.URI()},
 		BasicConstraintsValid: true,
 		KeyUsage: x509.KeyUsageCertSign |
 			x509.KeyUsageCRLSign |

agent/connect/testing_ca.go

@@ -53,9 +53,9 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
 
 	// Create the CA cert
 	template := x509.Certificate{
-		SerialNumber: sn,
-		Subject:      pkix.Name{CommonName: result.Name},
-		URIs:         []*url.URL{id.URI()},
+		SerialNumber:          sn,
+		Subject:               pkix.Name{CommonName: result.Name},
+		URIs:                  []*url.URL{id.URI()},
 		BasicConstraintsValid: true,
 		KeyUsage: x509.KeyUsageCertSign |
 			x509.KeyUsageCRLSign |

agent/consul/state/prepared_query_test.go

@@ -11,8 +11,8 @@ import (
 
 func TestStateStore_PreparedQuery_isUUID(t *testing.T) {
 	cases := map[string]bool{
-		"":     false,
-		"nope": false,
+		"":                                      false,
+		"nope":                                  false,
 		"f004177f-2c28-83b7-4229-eacc25fe55d1":  true,
 		"F004177F-2C28-83B7-4229-EACC25FE55D1":  true,
 		"x004177f-2c28-83b7-4229-eacc25fe55d1":  false, // Bad hex

agent/structs/check_definition.go

@@ -64,21 +64,21 @@ func (c *CheckDefinition) CheckType() *CheckType {
 		Status:  c.Status,
 		Notes:   c.Notes,
 
-		ScriptArgs:        c.ScriptArgs,
-		AliasNode:         c.AliasNode,
-		AliasService:      c.AliasService,
-		HTTP:              c.HTTP,
-		GRPC:              c.GRPC,
-		GRPCUseTLS:        c.GRPCUseTLS,
-		Header:            c.Header,
-		Method:            c.Method,
-		TCP:               c.TCP,
-		Interval:          c.Interval,
-		DockerContainerID: c.DockerContainerID,
-		Shell:             c.Shell,
-		TLSSkipVerify:     c.TLSSkipVerify,
-		Timeout:           c.Timeout,
-		TTL:               c.TTL,
+		ScriptArgs:                     c.ScriptArgs,
+		AliasNode:                      c.AliasNode,
+		AliasService:                   c.AliasService,
+		HTTP:                           c.HTTP,
+		GRPC:                           c.GRPC,
+		GRPCUseTLS:                     c.GRPCUseTLS,
+		Header:                         c.Header,
+		Method:                         c.Method,
+		TCP:                            c.TCP,
+		Interval:                       c.Interval,
+		DockerContainerID:              c.DockerContainerID,
+		Shell:                          c.Shell,
+		TLSSkipVerify:                  c.TLSSkipVerify,
+		Timeout:                        c.Timeout,
+		TTL:                            c.TTL,
 		DeregisterCriticalServiceAfter: c.DeregisterCriticalServiceAfter,
 	}
 }

agent/structs/check_definition_test.go

@@ -81,17 +81,17 @@ func TestCheckDefinitionToCheckType(t *testing.T) {
 		Status: "green",
 		Notes:  "notes",
 
-		ServiceID:         "svcid",
-		Token:             "tok",
-		ScriptArgs:        []string{"/bin/foo"},
-		HTTP:              "someurl",
-		TCP:               "host:port",
-		Interval:          1 * time.Second,
-		DockerContainerID: "abc123",
-		Shell:             "/bin/ksh",
-		TLSSkipVerify:     true,
-		Timeout:           2 * time.Second,
-		TTL:               3 * time.Second,
+		ServiceID:                      "svcid",
+		Token:                          "tok",
+		ScriptArgs:                     []string{"/bin/foo"},
+		HTTP:                           "someurl",
+		TCP:                            "host:port",
+		Interval:                       1 * time.Second,
+		DockerContainerID:              "abc123",
+		Shell:                          "/bin/ksh",
+		TLSSkipVerify:                  true,
+		Timeout:                        2 * time.Second,
+		TTL:                            3 * time.Second,
 		DeregisterCriticalServiceAfter: 4 * time.Second,
 	}
 	want := &CheckType{
@@ -100,15 +100,15 @@ func TestCheckDefinitionToCheckType(t *testing.T) {
 		Status:  "green",
 		Notes:   "notes",
 
-		ScriptArgs:        []string{"/bin/foo"},
-		HTTP:              "someurl",
-		TCP:               "host:port",
-		Interval:          1 * time.Second,
-		DockerContainerID: "abc123",
-		Shell:             "/bin/ksh",
-		TLSSkipVerify:     true,
-		Timeout:           2 * time.Second,
-		TTL:               3 * time.Second,
+		ScriptArgs:                     []string{"/bin/foo"},
+		HTTP:                           "someurl",
+		TCP:                            "host:port",
+		Interval:                       1 * time.Second,
+		DockerContainerID:              "abc123",
+		Shell:                          "/bin/ksh",
+		TLSSkipVerify:                  true,
+		Timeout:                        2 * time.Second,
+		TTL:                            3 * time.Second,
 		DeregisterCriticalServiceAfter: 4 * time.Second,
 	}
 	verify.Values(t, "", got.CheckType(), want)

website/source/docs/agent/options.html.md

@@ -590,8 +590,10 @@ default will automatically work with some tooling.
         The ACL token used to authorize secondary datacenters with the primary datacenter for replication
         operations. This token is required for servers outside the [`primary_datacenter`](#primary_datacenter) when
         ACLs are enabled. This token may be provided later using the [agent token API](/api/agent.html#update-acl-tokens)
-        on each server. If the `replication` token is set in the config. This token must have at least "read" permissions
-        on ACL data but if ACL token replication is enabled then it must have "write" permissions.
+        on each server. This token must have at least "read" permissions on ACL data but if ACL 
+        token replication is enabled then it must have "write" permissions. This also enables 
+        Connect replication in Consul Enterprise, for which the token will require both operator 
+        "write" and intention "read" permissions for replicating CA and Intention data.
 
 * <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - **This field is
   deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**
@@ -865,8 +867,6 @@ default will automatically work with some tooling.
 
     * <a name="connect_proxy_defaults"></a><a href="#connect_proxy_defaults">`proxy_defaults`</a> [**Deprecated**](/docs/connect/proxies/managed-deprecated.html) This object configures the default proxy settings for service definitions with [managed proxies](/docs/connect/proxies/managed-deprecated.html) (now deprecated). It accepts the fields `exec_mode`, `daemon_command`, and `config`. These are used as default values for the respective fields in the service definition.
 
-    * <a name="replication_token"></a><a href="#replication_token">`replication_token`</a> When provided, this will enable Connect replication using this token to retrieve and replicate the Intentions to the non-authoritative local datacenter.
-
 * <a name="datacenter"></a><a href="#datacenter">`datacenter`</a> Equivalent to the
   [`-datacenter` command-line flag](#_datacenter).