open-consul/api
Mike Morris 277c41d336
ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576)
* xds: refactor ingress listener SDS configuration

* xds: update resolveListenerSDS call args in listeners_test

* ingress: add TLS min, max and cipher suites to GatewayTLSConfig

* xds: implement envoyTLSVersions and envoyTLSCipherSuites

* xds: merge TLS config

* xds: configure TLS parameters with ingress TLS context from leaf

* xds: nil check in resolveListenerTLSConfig validation

* xds: nil check in makeTLSParameters* functions

* changelog: add entry for TLS params on ingress config entries

* xds: remove indirection for TLS params in TLSConfig structs

* xds: return tlsContext, nil instead of ambiguous err

Co-authored-by: Chris S. Kim <ckim@hashicorp.com>

* xds: switch zero checks to types.TLSVersionUnspecified

* ingress: add validation for ingress config entry TLS params

* ingress: validate listener TLS config

* xds: add basic ingress with TLS params tests

* xds: add ingress listeners mixed TLS min version defaults precedence test

* xds: add more explicit tests for ingress listeners inheriting gateway defaults

* xds: add test for single TLS listener on gateway without TLS defaults

* xds: regen golden files for TLSVersionInvalid zero value, add TLSVersionAuto listener test

* types/tls: change TLSVersion to string

* types/tls: update TLSCipherSuite to string type

* types/tls: implement validation functions for TLSVersion and TLSCipherSuites, make some maps private

* api: add TLS params to GatewayTLSConfig, add tests

* api: add TLSMinVersion to ingress gateway config entry test JSON

* xds: switch to Envoy TLS cipher suite encoding from types package

* xds: fixup validation for TLSv1_3 min version with cipher suites

* add some kitchen sink tests and add a missing struct tag

* xds: check if mergedCfg.TLSVersion is in TLSVersionsWithConfigurableCipherSuites

* xds: update connectTLSEnabled comment

* xds: remove unsued resolveGatewayServiceTLSConfig function

 * xds: add makeCommonTLSContextFromLeafWithoutParams

* types/tls: add LessThan comparator function for concrete values

* types/tls: change tlsVersions validation map from string to TLSVersion keys

* types/tls: remove unused envoyTLSCipherSuites

* types/tls: enable chacha20 cipher suites for Consul agent

* types/tls: remove insecure cipher suites from allowed config

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 are both explicitly listed as insecure and disabled in the Go source.

Refs https://cs.opensource.google/go/go/+/refs/tags/go1.17.3:src/crypto/tls/cipher_suites.go;l=329-330

* types/tls: add ValidateConsulAgentCipherSuites function, make direct lookup map private

* types/tls: return all unmatched cipher suites in validation errors

* xds: check that Envoy API value matching TLS version is found when building TlsParameters

* types/tls: check that value is found in map before appending to slice in MarshalEnvoyTLSCipherSuiteStrings

* types/tls: cast to string rather than fmt.Printf in TLSCihperSuite.String()

* xds: add TLSVersionUnspecified to list of configurable cipher suites

* structs: update note about config entry warning

* xds: remove TLS min version cipher suite unconfigurable test placeholder

* types/tls: update tests to remove assumption about private map values

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2022-01-11 11:46:42 -05:00
..
watch tests: skip cases that depend on test server when -short flag set (#10576) 2021-07-09 16:42:30 -07:00
.golangci.yml
README.md
acl.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
acl_test.go api: remove the test for TestAPI_RulesTranslate_Raw 2021-10-05 18:56:27 -04:00
agent.go add path escape and unescape to path params 2022-01-03 08:18:32 -08:00
agent_test.go Rename `agent_master` ACL token in the API and CLI (#11669) 2021-12-02 17:05:27 +00:00
api.go Groundwork for exposing when queries are filtered by ACLs (#11569) 2021-12-03 17:11:26 +00:00
api_test.go Groundwork for exposing when queries are filtered by ACLs (#11569) 2021-12-03 17:11:26 +00:00
catalog.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
catalog_test.go state: partition nodes and coordinates in the state store (#10859) 2021-08-17 13:29:39 -05:00
config_entry.go Rename partition-exports to exported-services 2021-12-03 17:47:31 -07:00
config_entry_discoverychain.go Update api module and decoding tests 2021-12-06 12:32:29 -07:00
config_entry_discoverychain_test.go fix test failures 2021-12-06 14:45:44 -06:00
config_entry_exports.go Rename partition-exports to exported-services 2021-12-03 17:47:31 -07:00
config_entry_gateways.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
config_entry_gateways_test.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
config_entry_intentions.go Sync partition fields from enterprise (#11021) 2021-09-13 17:53:52 -04:00
config_entry_intentions_test.go connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) 2020-10-06 13:24:05 -05:00
config_entry_mesh.go Update filename to match entry kind - mesh 2021-10-27 15:01:26 -06:00
config_entry_test.go ingress: allow setting TLS min version and cipher suites in ingress gateway config entries (#11576) 2022-01-11 11:46:42 -05:00
connect.go
connect_ca.go add root_cert_ttl option for consul connect, vault ca providers (#11428) 2021-11-02 11:02:10 -07:00
connect_ca_test.go add root_cert_ttl option for consul connect, vault ca providers (#11428) 2021-11-02 11:02:10 -07:00
connect_intention.go api: ensure new partition fields are omit empty for back compat (#11585) 2021-11-16 12:28:34 -06:00
connect_intention_test.go Support partitions in connect expose cmd 2021-11-12 14:45:32 -07:00
coordinate.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
coordinate_test.go agent: ensure that most agent behavior correctly respects partition configuration (#10880) 2021-08-19 15:09:42 -05:00
debug.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
debug_test.go
discovery_chain.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
discovery_chain_test.go partition dicovery chains (#10983) 2021-09-07 16:29:32 -04:00
event.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
event_test.go
go.mod partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
go.sum partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
health.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
health_test.go oss: Rename default partition 2021-08-12 14:31:37 -07:00
kv.go KV refactoring, part 2 (#11512) 2021-11-08 11:43:21 -05:00
kv_test.go
lock.go Make LockDelay configurable in api locks (#8621) 2020-09-04 13:38:26 -06:00
lock_test.go
mock_api_test.go AutopilotServerHealth now handles the 429 status code (#8599) 2021-03-12 09:40:49 -05:00
namespace.go Add partitions to prettyformatters (#11789) 2021-12-09 15:58:45 -05:00
namespace_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
operator.go
operator_area.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
operator_autopilot.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
operator_autopilot_test.go add StatusError to api package (#11054) 2021-09-20 14:04:13 -07:00
operator_keyring.go partitions: various refactors to support partitioning the serf LAN pool (#11568) 2021-11-15 09:51:14 -06:00
operator_keyring_test.go
operator_license.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
operator_raft.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
operator_raft_test.go
operator_segment.go
oss_test.go re-run gofmt on 1.17 (#11579) 2021-11-16 12:04:01 -06:00
partition.go Clarify feature name in partition docstring 2021-12-03 17:05:17 -07:00
prepared_query.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
prepared_query_test.go
raw.go
semaphore.go
semaphore_test.go ci: enable SA4006 staticcheck check 2020-06-16 13:10:11 -04:00
session.go api: properly close the response body 2021-06-14 18:52:59 -04:00
session_test.go ci: enable SA4006 staticcheck check 2020-06-16 13:10:11 -04:00
snapshot.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
snapshot_test.go
status.go Refactor requireHttpCodes for segregated error handling (#11287) 2021-10-28 12:24:23 -04:00
status_test.go api: restore Leader() and Peers() to avoid breaking function signatures (#8395) 2020-07-29 12:09:15 -04:00
txn.go replumbing a bunch of api and agent structs for partitions (#10681) 2021-07-22 14:33:22 -05:00
txn_test.go KV refactoring, part 2 (#11512) 2021-11-08 11:43:21 -05:00

README.md

Consul API client

This package provides the api package which attempts to provide programmatic access to the full Consul API.

Currently, all of the Consul APIs included in version 0.6.0 are supported.

Documentation

The full documentation is available on Godoc

Usage

Below is an example of using the Consul client:

package main

import "github.com/hashicorp/consul/api"
import "fmt"

func main() {
	// Get a new client
	client, err := api.NewClient(api.DefaultConfig())
	if err != nil {
		panic(err)
	}

	// Get a handle to the KV API
	kv := client.KV()

	// PUT a new KV pair
	p := &api.KVPair{Key: "REDIS_MAXCLIENTS", Value: []byte("1000")}
	_, err = kv.Put(p, nil)
	if err != nil {
		panic(err)
	}

	// Lookup the pair
	pair, _, err := kv.Get("REDIS_MAXCLIENTS", nil)
	if err != nil {
		panic(err)
	}
	fmt.Printf("KV: %v %s\n", pair.Key, pair.Value)
}

To run this example, start a Consul server:

consul agent -dev

Copy the code above into a file such as main.go.

Install and run. You'll see a key (REDIS_MAXCLIENTS) and value (1000) printed.

$ go get
$ go run main.go
KV: REDIS_MAXCLIENTS 1000

After running the code, you can also view the values in the Consul UI on your local machine at http://localhost:8500/ui/dc1/kv