luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
24065 commits 1 branch 0 tags 311 MiB
Commit graph

117 commits

Author SHA1 Message Date
Chelsea Holland Komlo 38f611a7f2 refactor NewTLSConfiguration to pass in verifyIncoming/verifyOutgoing 
add missing fields to TLS merge method
 2018-05-23 18:35:30 -04:00
Chelsea Holland Komlo 44f536f18e add support for configurable TLS minimum version 2018-05-09 18:07:12 -04:00
Chelsea Holland Komlo 796bae6f1b allow configurable cipher suites 
disallow 3DES and RC4 ciphers

add documentation for tls_cipher_suites
 2018-05-09 17:15:31 -04:00
Chelsea Holland Komlo b33d909bf9 add test to assert invalid files return error 2018-03-28 18:31:35 -04:00
Chelsea Holland Komlo 58ada9bc42 return error when setting checksum; don't reload 2018-03-28 18:15:50 -04:00
Chelsea Holland Komlo 2d5af7ff4d set TLS checksum when parsing config 
Refactor checksum comparison, always set checksum if it is empty
 2018-03-28 09:56:11 -04:00
Chelsea Holland Komlo 6e6d6b7e33 check file contents when determining if agent should reload TLS configuration 2018-03-27 15:42:20 -04:00
Chelsea Holland Komlo 66e44cdb73 Allow TLS configurations for HTTP and RPC connections to be reloaded separately 2018-03-21 17:51:08 -04:00
James Rasell 121c3bc997 Update Consul check params from using health-check to check. 2018-03-20 16:03:58 +01:00
James Rasell 15afef9b77 Allow Nomads Consul health checks to be configurable. 
This change allows the client HTTP and the server HTTP, Serf and
RPC health check names within Consul to be configurable with the
defaults as previous. The configuration can be done via either a
config file or using CLI flags.

Closes #3988
 2018-03-19 19:37:56 +01:00
Kyle Havlovitz 2ccf565bf6 Refactor redundancy_zone/upgrade_version out of client meta 2018-01-29 20:03:38 -08:00
Chelsea Komlo d09cc2a69f
Merge pull request #3492 from hashicorp/f-client-tls-reload 
Client/Server TLS dynamic reload
 2018-01-23 05:51:32 -05:00
Kyle Havlovitz bc385bcc93 Fix comments/text referring to consul 2018-01-17 00:20:13 -08:00
Chelsea Holland Komlo 0708d34135 call reload on agent, client, and server separately 2018-01-08 09:56:31 -05:00
Chelsea Holland Komlo 3f34b59ee6 remove unnecessary nil checks; default case 
add tests for TLSConfig object
 2018-01-08 09:24:28 -05:00
Chelsea Holland Komlo 6a2432659a code review fixups 2018-01-08 09:21:06 -05:00
Chelsea Holland Komlo c0ad9a4627 add ability to upgrade/downgrade nomad agents tls configurations via sighup 2018-01-08 09:21:06 -05:00
Kyle Havlovitz 1c07066064 Add autopilot functionality based on Consul's autopilot 2017-12-18 14:29:41 -08:00
Chelsea Holland Komlo 5951222ccb fix for rpc_upgrade_mode 2017-12-11 19:23:45 -05:00
Chelsea Komlo 2dfda33703 Nomad agent reload TLS configuration on SIGHUP (#3479) 
* Allow server TLS configuration to be reloaded via SIGHUP

* dynamic tls reloading for nomad agents

* code cleanup and refactoring

* ensure keyloader is initialized, add comments

* allow downgrading from TLS

* initalize keyloader if necessary

* integration test for tls reload

* fix up test to assert success on reloaded TLS configuration

* failure in loading a new TLS config should remain at current

Reload only the config if agent is already using TLS

* reload agent configuration before specific server/client

lock keyloader before loading/caching a new certificate

* introduce a get-or-set method for keyloader

* fixups from code review

* fix up linting errors

* fixups from code review

* add lock for config updates; improve copy of tls config

* GetCertificate only reloads certificates dynamically for the server

* config updates/copies should be on agent

* improve http integration test

* simplify agent reloading storing a local copy of config

* reuse the same keyloader when reloading

* Test that server and client get reloaded but keep keyloader

* Keyloader exposes GetClientCertificate as well for outgoing connections

* Fix spelling

* correct changelog style
 2017-11-14 17:53:23 -08:00
Chelsea Holland Komlo e348deecf5 fixups from code review 2017-11-01 15:21:05 -05:00
Chelsea Holland Komlo afe9f9a714 add rpc_upgrade_mode as config option for tls upgrades 2017-11-01 15:19:52 -05:00
Alex Dadgar e5ec915ac3 sync 2017-09-19 10:08:23 -05:00
Michael Schurter bbcea0dff9 Update consul/api and comment to custom http.Client 2017-05-30 15:11:32 -07:00
Michael Schurter 6f2ecdec27 Update consul/api and fix tls handling 
Since I was already fixing consul's tls handling in #2645 I decided to
update consul/api and pre-emptively fix our tls handling against the
newest consul/api behavior. consul/api's handling of http.Transports has
improved but would have broken how we handled tls (again).

This would have made for a nasty surprise the next time we updated
consul/api.
 2017-05-30 15:11:32 -07:00
Michael Schurter a4e2463477 Fix consul.verify_ssl 
Was getting ignored and would have defaulted to false if it wasn't
ignored.

Now defaults to true as per docs and isn't ignored.
 2017-05-15 15:32:32 -07:00
Michael Schurter 85210eb92f Update consul/api to support unix socket addrs 
Fixes #2594
 2017-05-08 11:57:04 -07:00
Pete Wildsmith 1b8a1614ca reduce to one configuration option 
There should be just one option, verify_https_client, which
controls incoming and outgoing validation for the HTTPS wrapper
 2017-04-28 10:45:09 +01:00
Pete Wildsmith c948d2ee27 apply gofmt 2017-04-26 18:58:19 +01:00
Pete Wildsmith 56b122c501 Add verification options to TLS config struct 2017-04-25 23:29:43 +01:00
Alex Dadgar 7fae2d2cea Fix Consul Config Merging/Copying 
This PR fixes config merging/copying code.

Fixes https://github.com/hashicorp/nomad/issues/2264
 2017-02-02 11:12:07 -08:00
Alex Dadgar 9c75ec7f57 Add role to merge test 2017-02-01 16:37:08 -08:00
taylorchu fd34c03d47 TWEAK: remove else block in tls handling 2017-01-26 14:03:32 -08:00
taylorchu 4453a292a2 BUGFIX: fix consul verify_ssl merging 2017-01-25 16:19:39 -08:00
Alex Dadgar 606bb30863 Merge pull request #2226 from hashicorp/b-vault 
Improve Vault integration and validation
 2017-01-23 14:59:41 -08:00
Alex Dadgar fb86904902 Check capabilities, allow creation against role 
Check the capabilities of the Vault token to ensure it is valid and also
allow targetting of a role that the token is not from.
 2017-01-19 13:40:32 -08:00
Diptanu Choudhury e927de02d2 Moved functions to helper from structs 2017-01-18 15:55:14 -08:00
Diptanu Choudhury c253f5b17d Fixed merging consul config 2017-01-05 15:15:43 -08:00
Diptanu Choudhury 15f085a4d7 Merge pull request #1931 from hashicorp/rename-vault-config 
Rename vault config
 2016-11-06 10:14:25 -08:00
Diptanu Choudhury 40b9d3bb2d Fixed comment 2016-11-03 14:45:03 -07:00
Diptanu Choudhury 22681bd8ce Making AllowUnauthenticated true by default 2016-11-03 14:38:34 -07:00
Diptanu Choudhury b6f9df5415 Renaming TLS related vault config 2016-11-03 14:24:39 -07:00
Alex Dadgar ddf5fb82b5 Small cleanups 2016-10-27 10:51:11 -07:00
Diptanu Choudhury cf35aeac84 Moving the TLSConfig to structs 2016-10-25 15:57:38 -07:00
Alex Dadgar 751aa114bf Fix Vault parsing of booleans 2016-10-10 18:04:39 -07:00
Diptanu Choudhury f8cd51b6e9 Enabling vault if token is present 2016-08-18 12:03:50 -07:00
Alex Dadgar a8efce874f Token renewal and beginning of tests 2016-08-17 16:25:38 -07:00
Alex Dadgar 713e310670 Renew loop 2016-08-17 16:25:38 -07:00
Alex Dadgar 750a44b2c0 Create a Vault interface for the server 2016-08-17 16:25:38 -07:00
Alex Dadgar 6e2f0a2776 Server has Vault API client 2016-08-17 16:25:38 -07:00
Alex Dadgar 4135b4ece7 Address field name feedback 2016-08-17 16:23:29 -07:00
Alex Dadgar 7d899b6c60 Pass Vault config to client 2016-08-17 16:23:29 -07:00
Alex Dadgar eac2675faf Add enabled field 2016-08-17 16:23:29 -07:00
Alex Dadgar 1584cfe93e small fixes 2016-08-17 16:23:29 -07:00
Alex Dadgar 0ca4a9fa4f Change token/role names 2016-08-17 16:23:29 -07:00
Alex Dadgar adb3ce847f change config variable names to match vault 2016-08-17 16:23:29 -07:00
Alex Dadgar fab7893774 vendor + api 2016-08-17 16:23:29 -07:00
Alex Dadgar b32128aa23 Initial config block 2016-08-17 16:23:29 -07:00
Sean Chittenden 871a31a8ec
Teach config.ConsulConfig how to construct a consulapi TLS client. 
Said differently, centralize the creation of consul's client config
in one place and use it everywhere.
 2016-06-16 22:51:06 -07:00
Sean Chittenden d17af396ca
Create config.DefaultConsulConfig() 2016-06-16 20:41:05 -07:00
Alex Dadgar aea21affdb Document consul configuration 2016-06-14 15:21:57 -07:00
Sean Chittenden 6e22b680ce
Disambiguate auto_join from auto_register, rename reg to auto_advertise. 
Provide an option that describes the value to the user vs the
operation performed by the software.  Momentarily introducing
`auto_join`
 2016-06-14 12:11:38 -07:00
Sean Chittenden 197feae679
Sync services with Consul by comparing the AgentServiceReg w/ ConsulService 
The source of truth is the local Nomad Agent.  Any services not local that
have a matching prefix are removed.  Changed services are re-registered
and missing services are re-added.
 2016-06-10 15:54:39 -04:00
Sean Chittenden e727fd8c3c
Centralize the creation of a consul/api.Config struct. 
While documented, the consul.timeout parameter wasn't ever set
except one-off in the Consul fingerprinter.
 2016-06-10 15:50:11 -04:00
Sean Chittenden f695d6d70d
Reconcile consul's address configuration section. 
There were conflicting directives previously, both consul.addr and
consul.address were required to achieve the desired behavior.  The
documentation said `consul.address` was the canonical name for the
parameter, so consolidate configuration parameters to `consul.address`.
 2016-06-10 15:50:11 -04:00
Sean Chittenden 17116fc5a7
Rebalance Nomad client RPCs among different Nomad servers. 
Implement client/rpc_proxy.RpcProxy.
 2016-06-10 15:50:11 -04:00
Sean Chittenden b509da2d0c
Create a nomad/structs/config to break an import cycle. 
Flattening and normalizing the various Consul config structures and
services has led to an import cycle.  Break this by creating a new package
that is intended to be terminal in the import DAG.
 2016-06-10 15:48:36 -04:00