auto_config implies connect (#8433)
This commit is contained in:
Hans Hasselberg
GitHub
parent
eb934a2979
commit
fdceb24323
|
|
@ -626,10 +626,40 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
|||
consulRaftHeartbeatTimeout := b.durationVal("consul.raft.heartbeat_timeout", c.Consul.Raft.HeartbeatTimeout) * time.Duration(performanceRaftMultiplier)
|
||||
consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
|
||||
|
||||
// Connect proxy defaults.
|
||||
// Connect
|
||||
connectEnabled := b.boolVal(c.Connect.Enabled)
|
||||
connectCAProvider := b.stringVal(c.Connect.CAProvider)
|
||||
connectCAConfig := c.Connect.CAConfig
|
||||
|
||||
// autoEncrypt and autoConfig implicitly turns on connect which is why
|
||||
// they need to be above other settings that rely on connect.
|
||||
autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS)
|
||||
autoEncryptDNSSAN := []string{}
|
||||
for _, d := range c.AutoEncrypt.DNSSAN {
|
||||
autoEncryptDNSSAN = append(autoEncryptDNSSAN, d)
|
||||
}
|
||||
autoEncryptIPSAN := []net.IP{}
|
||||
for _, i := range c.AutoEncrypt.IPSAN {
|
||||
ip := net.ParseIP(i)
|
||||
if ip == nil {
|
||||
b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i))
|
||||
continue
|
||||
}
|
||||
autoEncryptIPSAN = append(autoEncryptIPSAN, ip)
|
||||
|
||||
}
|
||||
autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS)
|
||||
|
||||
if autoEncryptAllowTLS {
|
||||
connectEnabled = true
|
||||
}
|
||||
|
||||
autoConfig := b.autoConfigVal(c.AutoConfig)
|
||||
if autoConfig.Enabled {
|
||||
connectEnabled = true
|
||||
}
|
||||
|
||||
// Connect proxy defaults
|
||||
connectMeshGatewayWANFederationEnabled := b.boolVal(c.Connect.MeshGatewayWANFederationEnabled)
|
||||
if connectMeshGatewayWANFederationEnabled && !connectEnabled {
|
||||
return RuntimeConfig{}, fmt.Errorf("'connect.enable_mesh_gateway_wan_federation=true' requires 'connect.enabled=true'")
|
||||
|
|
@ -668,27 +698,6 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
|||
})
|
||||
}
|
||||
|
||||
autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS)
|
||||
autoEncryptDNSSAN := []string{}
|
||||
for _, d := range c.AutoEncrypt.DNSSAN {
|
||||
autoEncryptDNSSAN = append(autoEncryptDNSSAN, d)
|
||||
}
|
||||
autoEncryptIPSAN := []net.IP{}
|
||||
for _, i := range c.AutoEncrypt.IPSAN {
|
||||
ip := net.ParseIP(i)
|
||||
if ip == nil {
|
||||
b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i))
|
||||
continue
|
||||
}
|
||||
autoEncryptIPSAN = append(autoEncryptIPSAN, ip)
|
||||
|
||||
}
|
||||
autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS)
|
||||
|
||||
if autoEncryptAllowTLS {
|
||||
connectEnabled = true
|
||||
}
|
||||
|
||||
aclsEnabled := false
|
||||
primaryDatacenter := strings.ToLower(b.stringVal(c.PrimaryDatacenter))
|
||||
if c.ACLDatacenter != nil {
|
||||
|
|
@ -908,7 +917,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
|||
AutoEncryptDNSSAN: autoEncryptDNSSAN,
|
||||
AutoEncryptIPSAN: autoEncryptIPSAN,
|
||||
AutoEncryptAllowTLS: autoEncryptAllowTLS,
|
||||
AutoConfig: b.autoConfigVal(c.AutoConfig),
|
||||
AutoConfig: autoConfig,
|
||||
ConnectEnabled: connectEnabled,
|
||||
ConnectCAProvider: connectCAProvider,
|
||||
ConnectCAConfig: connectCAConfig,
|
||||
|
|
|
|||
|
|
@ -3986,6 +3986,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
|||
"Both an intro token and intro token file are set. The intro token will be used instead of the file",
|
||||
},
|
||||
patch: func(rt *RuntimeConfig) {
|
||||
rt.ConnectEnabled = true
|
||||
rt.AutoConfig.Enabled = true
|
||||
rt.AutoConfig.IntroToken = "blah"
|
||||
rt.AutoConfig.IntroTokenFile = "blah"
|
||||
|
|
|
|||
|
|
@ -147,10 +147,10 @@ func (s *Server) LocalTokensEnabled() bool {
|
|||
}
|
||||
|
||||
if !s.config.ACLTokenReplication || s.tokens.ReplicationToken() == "" {
|
||||
// token replication is off so local tokens are disabled
|
||||
return false
|
||||
}
|
||||
|
||||
// token replication is off so local tokens are disabled
|
||||
return true
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -930,7 +930,9 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
|
|||
The initial RPC uses a JWT specified with either `intro_token`,
|
||||
`intro_token_file` or the `CONSUL_INTRO_TOKEN` environment variable to authorize
|
||||
the request. How the JWT token is verified is controlled by the `auto_config.authorizer`
|
||||
object available for use on Consul servers.
|
||||
object available for use on Consul servers. Enabling this option also turns
|
||||
on Connect because it is vital for `auto_config`, more specifically the CA
|
||||
and certificates infrastructure.
|
||||
|
||||
- `intro_token` (Defaults to `""`) This specifies the JWT to use for the initial
|
||||
`auto_config` RPC to the Consul servers. This can be overridden with the
|
||||
|
|
|
|||
Loading…
Reference in New Issue