auto_config implies connect (#8433)
This commit is contained in:
Hans Hasselberg
GitHub
parent
eb934a2979
commit
fdceb24323
|
|
@ -626,10 +626,40 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
||||||
consulRaftHeartbeatTimeout := b.durationVal("consul.raft.heartbeat_timeout", c.Consul.Raft.HeartbeatTimeout) * time.Duration(performanceRaftMultiplier)
|
consulRaftHeartbeatTimeout := b.durationVal("consul.raft.heartbeat_timeout", c.Consul.Raft.HeartbeatTimeout) * time.Duration(performanceRaftMultiplier)
|
||||||
consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
|
consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
|
||||||
|
|
||||||
// Connect proxy defaults.
|
// Connect
|
||||||
connectEnabled := b.boolVal(c.Connect.Enabled)
|
connectEnabled := b.boolVal(c.Connect.Enabled)
|
||||||
connectCAProvider := b.stringVal(c.Connect.CAProvider)
|
connectCAProvider := b.stringVal(c.Connect.CAProvider)
|
||||||
connectCAConfig := c.Connect.CAConfig
|
connectCAConfig := c.Connect.CAConfig
|
||||||
|
|
||||||
|
// autoEncrypt and autoConfig implicitly turns on connect which is why
|
||||||
|
// they need to be above other settings that rely on connect.
|
||||||
|
autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS)
|
||||||
|
autoEncryptDNSSAN := []string{}
|
||||||
|
for _, d := range c.AutoEncrypt.DNSSAN {
|
||||||
|
autoEncryptDNSSAN = append(autoEncryptDNSSAN, d)
|
||||||
|
}
|
||||||
|
autoEncryptIPSAN := []net.IP{}
|
||||||
|
for _, i := range c.AutoEncrypt.IPSAN {
|
||||||
|
ip := net.ParseIP(i)
|
||||||
|
if ip == nil {
|
||||||
|
b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
autoEncryptIPSAN = append(autoEncryptIPSAN, ip)
|
||||||
|
|
||||||
|
}
|
||||||
|
autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS)
|
||||||
|
|
||||||
|
if autoEncryptAllowTLS {
|
||||||
|
connectEnabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
autoConfig := b.autoConfigVal(c.AutoConfig)
|
||||||
|
if autoConfig.Enabled {
|
||||||
|
connectEnabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Connect proxy defaults
|
||||||
connectMeshGatewayWANFederationEnabled := b.boolVal(c.Connect.MeshGatewayWANFederationEnabled)
|
connectMeshGatewayWANFederationEnabled := b.boolVal(c.Connect.MeshGatewayWANFederationEnabled)
|
||||||
if connectMeshGatewayWANFederationEnabled && !connectEnabled {
|
if connectMeshGatewayWANFederationEnabled && !connectEnabled {
|
||||||
return RuntimeConfig{}, fmt.Errorf("'connect.enable_mesh_gateway_wan_federation=true' requires 'connect.enabled=true'")
|
return RuntimeConfig{}, fmt.Errorf("'connect.enable_mesh_gateway_wan_federation=true' requires 'connect.enabled=true'")
|
||||||
|
|
@ -668,27 +698,6 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS)
|
|
||||||
autoEncryptDNSSAN := []string{}
|
|
||||||
for _, d := range c.AutoEncrypt.DNSSAN {
|
|
||||||
autoEncryptDNSSAN = append(autoEncryptDNSSAN, d)
|
|
||||||
}
|
|
||||||
autoEncryptIPSAN := []net.IP{}
|
|
||||||
for _, i := range c.AutoEncrypt.IPSAN {
|
|
||||||
ip := net.ParseIP(i)
|
|
||||||
if ip == nil {
|
|
||||||
b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i))
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
autoEncryptIPSAN = append(autoEncryptIPSAN, ip)
|
|
||||||
|
|
||||||
}
|
|
||||||
autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS)
|
|
||||||
|
|
||||||
if autoEncryptAllowTLS {
|
|
||||||
connectEnabled = true
|
|
||||||
}
|
|
||||||
|
|
||||||
aclsEnabled := false
|
aclsEnabled := false
|
||||||
primaryDatacenter := strings.ToLower(b.stringVal(c.PrimaryDatacenter))
|
primaryDatacenter := strings.ToLower(b.stringVal(c.PrimaryDatacenter))
|
||||||
if c.ACLDatacenter != nil {
|
if c.ACLDatacenter != nil {
|
||||||
|
|
@ -908,7 +917,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
||||||
AutoEncryptDNSSAN: autoEncryptDNSSAN,
|
AutoEncryptDNSSAN: autoEncryptDNSSAN,
|
||||||
AutoEncryptIPSAN: autoEncryptIPSAN,
|
AutoEncryptIPSAN: autoEncryptIPSAN,
|
||||||
AutoEncryptAllowTLS: autoEncryptAllowTLS,
|
AutoEncryptAllowTLS: autoEncryptAllowTLS,
|
||||||
AutoConfig: b.autoConfigVal(c.AutoConfig),
|
AutoConfig: autoConfig,
|
||||||
ConnectEnabled: connectEnabled,
|
ConnectEnabled: connectEnabled,
|
||||||
ConnectCAProvider: connectCAProvider,
|
ConnectCAProvider: connectCAProvider,
|
||||||
ConnectCAConfig: connectCAConfig,
|
ConnectCAConfig: connectCAConfig,
|
||||||
|
|
|
||||||
|
|
@ -3986,6 +3986,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
||||||
"Both an intro token and intro token file are set. The intro token will be used instead of the file",
|
"Both an intro token and intro token file are set. The intro token will be used instead of the file",
|
||||||
},
|
},
|
||||||
patch: func(rt *RuntimeConfig) {
|
patch: func(rt *RuntimeConfig) {
|
||||||
|
rt.ConnectEnabled = true
|
||||||
rt.AutoConfig.Enabled = true
|
rt.AutoConfig.Enabled = true
|
||||||
rt.AutoConfig.IntroToken = "blah"
|
rt.AutoConfig.IntroToken = "blah"
|
||||||
rt.AutoConfig.IntroTokenFile = "blah"
|
rt.AutoConfig.IntroTokenFile = "blah"
|
||||||
|
|
|
||||||
|
|
@ -147,10 +147,10 @@ func (s *Server) LocalTokensEnabled() bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
if !s.config.ACLTokenReplication || s.tokens.ReplicationToken() == "" {
|
if !s.config.ACLTokenReplication || s.tokens.ReplicationToken() == "" {
|
||||||
|
// token replication is off so local tokens are disabled
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// token replication is off so local tokens are disabled
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -930,7 +930,9 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
||||||
The initial RPC uses a JWT specified with either `intro_token`,
|
The initial RPC uses a JWT specified with either `intro_token`,
|
||||||
`intro_token_file` or the `CONSUL_INTRO_TOKEN` environment variable to authorize
|
`intro_token_file` or the `CONSUL_INTRO_TOKEN` environment variable to authorize
|
||||||
the request. How the JWT token is verified is controlled by the `auto_config.authorizer`
|
the request. How the JWT token is verified is controlled by the `auto_config.authorizer`
|
||||||
object available for use on Consul servers.
|
object available for use on Consul servers. Enabling this option also turns
|
||||||
|
on Connect because it is vital for `auto_config`, more specifically the CA
|
||||||
|
and certificates infrastructure.
|
||||||
|
|
||||||
- `intro_token` (Defaults to `""`) This specifies the JWT to use for the initial
|
- `intro_token` (Defaults to `""`) This specifies the JWT to use for the initial
|
||||||
`auto_config` RPC to the Consul servers. This can be overridden with the
|
`auto_config` RPC to the Consul servers. This can be overridden with the
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue