config: remove ACLResolver settings from RuntimeConfig

2021-08-06 18:59:05 -04:00 · 2021-08-06 18:59:05 -04:00 · 17841248dd
parent 31e034215f
commit 17841248dd
8 changed files with 85 additions and 83 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@ -542,13 +542,13 @@ func (a *Agent) Start(ctx context.Context) error {
 	}

 	var intentionDefaultAllow bool
-	switch a.config.ACLDefaultPolicy {
+	switch a.config.ACLResolverSettings.ACLDefaultPolicy {
 	case "allow":
 		intentionDefaultAllow = true
 	case "deny":
 		intentionDefaultAllow = false
 	default:
-		return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy)
+		return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLResolverSettings.ACLDefaultPolicy)
 	}

 	go a.baseDeps.ViewStore.Run(&lib.StopChannelContext{StopCh: a.shutdownCh})
@ -1023,6 +1023,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter
 	cfg.DataDir = runtimeCfg.DataDir
 	cfg.NodeName = runtimeCfg.NodeName
+	cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings

 	cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize
 	cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches
@ -1115,7 +1116,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	if runtimeCfg.ACLMasterToken != "" {
 		cfg.ACLMasterToken = runtimeCfg.ACLMasterToken
 	}
-	// TODO: cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings
 	cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication
 	cfg.ACLsEnabled = runtimeCfg.ACLsEnabled
 	if runtimeCfg.ACLEnableKeyListPolicy {
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@ -830,7 +830,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 	dataDir := stringVal(c.DataDir)
 	rt = RuntimeConfig{
 		// non-user configurable values
-		ACLDisabledTTL:             b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
 		AEInterval:                 b.durationVal("ae_interval", c.AEInterval),
 		CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin),
 		CheckReapInterval:          b.durationVal("check_reap_interval", c.CheckReapInterval),
@ -866,15 +865,23 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		GossipWANRetransmitMult: intVal(c.GossipWAN.RetransmitMult),

 		// ACL
-		ACLsEnabled:            aclsEnabled,
-		ACLDefaultPolicy:       stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
-		ACLDownPolicy:          stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
+		ACLsEnabled: aclsEnabled,
+		ACLResolverSettings: consul.ACLResolverSettings{
+			ACLsEnabled:      aclsEnabled,
+			Datacenter:       datacenter,
+			NodeName:         b.nodeName(c.NodeName),
+			ACLPolicyTTL:     b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
+			ACLTokenTTL:      b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
+			ACLRoleTTL:       b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
+			ACLDisabledTTL:   b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
+			ACLDownPolicy:    stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
+			ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
+		},
+
 		ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)),
 		ACLMasterToken:         stringValWithDefault(c.ACL.Tokens.Master, stringVal(c.ACLMasterToken)),
-		ACLTokenTTL:            b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
-		ACLPolicyTTL:           b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
-		ACLRoleTTL:             b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
-		ACLTokenReplication:    boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
+
+		ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),

 		ACLTokens: token.Config{
 			DataDir:             dataDir,
--- a/agent/config/runtime.go
+++ b/agent/config/runtime.go
@ -55,13 +55,6 @@ type RuntimeConfig struct {
 	ConsulRaftLeaderLeaseTimeout     time.Duration
 	ConsulServerHealthInterval       time.Duration

-	// ACLDisabledTTL is used by agents to determine how long they will
-	// wait to check again with the servers if they discover ACLs are not
-	// enabled. (not user configurable)
-	//
-	// hcl: acl.disabled_ttl = "duration"
-	ACLDisabledTTL time.Duration
-
 	// ACLsEnabled is used to determine whether ACLs should be enabled
 	//
 	// hcl: acl.enabled = boolean
@ -69,28 +62,7 @@ type RuntimeConfig struct {

 	ACLTokens token.Config

-	// ACLDefaultPolicy is used to control the ACL interaction when
-	// there is no defined policy. This can be "allow" which means
-	// ACLs are used to deny-list, or "deny" which means ACLs are
-	// allow-lists.
-	//
-	// hcl: acl.default_policy = ("allow"|"deny")
-	ACLDefaultPolicy string
-
-	// ACLDownPolicy is used to control the ACL interaction when we cannot
-	// reach the PrimaryDatacenter and the token is not in the cache.
-	// There are the following modes:
-	//   * allow - Allow all requests
-	//   * deny - Deny all requests
-	//   * extend-cache - Ignore the cache expiration, and allow cached
-	//                    ACL's to be used to service requests. This
-	//                    is the default. If the ACL is not in the cache,
-	//                    this acts like deny.
-	//   * async-cache - Same behavior as extend-cache, but perform ACL
-	//                   Lookups asynchronously when cache TTL is expired.
-	//
-	// hcl: acl.down_policy = ("allow"|"deny"|"extend-cache"|"async-cache")
-	ACLDownPolicy string
+	ACLResolverSettings consul.ACLResolverSettings

 	// ACLEnableKeyListPolicy is used to opt-in to the "list" policy added to
 	// KV ACLs in Consul 1.0.
@ -114,24 +86,6 @@ type RuntimeConfig struct {
 	// hcl: acl.token_replication = boolean
 	ACLTokenReplication bool

-	// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
-	// a major impact on performance. By default, it is set to 30 seconds.
-	//
-	// hcl: acl.policy_ttl = "duration"
-	ACLTokenTTL time.Duration
-
-	// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
-	// a major impact on performance. By default, it is set to 30 seconds.
-	//
-	// hcl: acl.token_ttl = "duration"
-	ACLPolicyTTL time.Duration
-
-	// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
-	// a major impact on performance. By default, it is set to 30 seconds.
-	//
-	// hcl: acl.role_ttl = "duration"
-	ACLRoleTTL time.Duration
-
 	// AutopilotCleanupDeadServers enables the automatic cleanup of dead servers when new ones
 	// are added to the peer list. Defaults to true.
 	//
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@ -5146,6 +5146,10 @@ func (tc testCase) run(format string, dataDir string) func(t *testing.T) {
 		// case does not need to set this field.
 		require.Equal(t, actual.DataDir, actual.ACLTokens.DataDir)
 		expected.ACLTokens.DataDir = actual.ACLTokens.DataDir
+		// These fields are always the same
+		expected.ACLResolverSettings.Datacenter = expected.Datacenter
+		expected.ACLResolverSettings.ACLsEnabled = expected.ACLsEnabled
+		expected.ACLResolverSettings.NodeName = expected.NodeName

 		assertDeepEqual(t, expected, actual, cmpopts.EquateEmpty())
 	}
@ -5187,7 +5191,6 @@ func TestLoad_FullConfig(t *testing.T) {
 	defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
 	expected := &RuntimeConfig{
 		// non-user configurable values
-		ACLDisabledTTL:             120 * time.Second,
 		AEInterval:                 time.Minute,
 		CheckDeregisterIntervalMin: time.Minute,
 		CheckReapInterval:          30 * time.Second,
@ -5232,15 +5235,21 @@ func TestLoad_FullConfig(t *testing.T) {
 			ACLReplicationToken: "5795983a",
 		},

-		ACLsEnabled:                      true,
-		PrimaryDatacenter:                "ejtmd43d",
-		ACLDefaultPolicy:                 "72c2e7a0",
-		ACLDownPolicy:                    "03eb2aee",
+		ACLsEnabled:       true,
+		PrimaryDatacenter: "ejtmd43d",
+		ACLResolverSettings: consul.ACLResolverSettings{
+			ACLsEnabled:      true,
+			Datacenter:       "rzo029wg",
+			NodeName:         "otlLxGaI",
+			ACLDisabledTTL:   120 * time.Second,
+			ACLDefaultPolicy: "72c2e7a0",
+			ACLDownPolicy:    "03eb2aee",
+			ACLTokenTTL:      3321 * time.Second,
+			ACLPolicyTTL:     1123 * time.Second,
+			ACLRoleTTL:       9876 * time.Second,
+		},
 		ACLEnableKeyListPolicy:           true,
 		ACLMasterToken:                   "8a19ac27",
-		ACLTokenTTL:                      3321 * time.Second,
-		ACLPolicyTTL:                     1123 * time.Second,
-		ACLRoleTTL:                       9876 * time.Second,
 		ACLTokenReplication:              true,
 		AdvertiseAddrLAN:                 ipAddr("17.99.29.16"),
 		AdvertiseAddrWAN:                 ipAddr("78.63.37.19"),
--- a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden
+++ b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden
@ -1,13 +1,18 @@
 {
-    "ACLDefaultPolicy": "",
-    "ACLDisabledTTL": "0s",
-    "ACLDownPolicy": "",
    "ACLEnableKeyListPolicy": false,
    "ACLMasterToken": "hidden",
-    "ACLPolicyTTL": "0s",
-    "ACLRoleTTL": "0s",
+    "ACLResolverSettings": {
+        "ACLDefaultPolicy": "",
+        "ACLDisabledTTL": "0s",
+        "ACLDownPolicy": "",
+        "ACLPolicyTTL": "0s",
+        "ACLRoleTTL": "0s",
+        "ACLTokenTTL": "0s",
+        "ACLsEnabled": false,
+        "Datacenter": "",
+        "NodeName": ""
+    },
    "ACLTokenReplication": false,
-    "ACLTokenTTL": "0s",
    "ACLTokens": {
        "ACLAgentMasterToken": "hidden",
        "ACLAgentToken": "hidden",
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@ -214,14 +214,42 @@ type ACLResolverConfig struct {

 // TODO: rename the fields to remove the ACL prefix
 type ACLResolverSettings struct {
-	ACLsEnabled      bool
-	Datacenter       string
-	NodeName         string
-	ACLPolicyTTL     time.Duration
-	ACLTokenTTL      time.Duration
-	ACLRoleTTL       time.Duration
-	ACLDisabledTTL   time.Duration
-	ACLDownPolicy    string
+	ACLsEnabled bool
+	Datacenter  string
+	NodeName    string
+
+	// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
+	// a major impact on performance. By default, it is set to 30 seconds.
+	ACLPolicyTTL time.Duration
+	// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
+	// a major impact on performance. By default, it is set to 30 seconds.
+	ACLTokenTTL time.Duration
+	// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
+	// a major impact on performance. By default, it is set to 30 seconds.
+	ACLRoleTTL time.Duration
+
+	// ACLDisabledTTL is used by agents to determine how long they will
+	// wait to check again with the servers if they discover ACLs are not
+	// enabled. (not user configurable)
+	ACLDisabledTTL time.Duration
+
+	// ACLDownPolicy is used to control the ACL interaction when we cannot
+	// reach the PrimaryDatacenter and the token is not in the cache.
+	// There are the following modes:
+	//   * allow - Allow all requests
+	//   * deny - Deny all requests
+	//   * extend-cache - Ignore the cache expiration, and allow cached
+	//                    ACL's to be used to service requests. This
+	//                    is the default. If the ACL is not in the cache,
+	//                    this acts like deny.
+	//   * async-cache - Same behavior as extend-cache, but perform ACL
+	//                   Lookups asynchronously when cache TTL is expired.
+	ACLDownPolicy string
+
+	// ACLDefaultPolicy is used to control the ACL interaction when
+	// there is no defined policy. This can be "allow" which means
+	// ACLs are used to deny-list, or "deny" which means ACLs are
+	// allow-lists.
 	ACLDefaultPolicy string
 }

@ -251,7 +279,6 @@ type ACLResolverSettings struct {
 //   upon.
 //
 type ACLResolver struct {
-	// TODO: store the ACLResolverConfig as a field instead of copying all the fields onto ACLResolver.
 	config ACLResolverSettings
 	logger hclog.Logger

--- a/agent/http.go
+++ b/agent/http.go
@ -362,7 +362,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
 	return func(resp http.ResponseWriter, req *http.Request) {
 		setHeaders(resp, s.agent.config.HTTPResponseHeaders)
 		setTranslateAddr(resp, s.agent.config.TranslateWANAddrs)
-		setACLDefaultPolicy(resp, s.agent.config.ACLDefaultPolicy)
+		setACLDefaultPolicy(resp, s.agent.config.ACLResolverSettings.ACLDefaultPolicy)

 		// Obfuscate any tokens from appearing in the logs
 		formVals, err := url.ParseQuery(req.URL.RawQuery)
--- a/agent/uiserver/uiserver_test.go
+++ b/agent/uiserver/uiserver_test.go
@ -227,7 +227,7 @@ func basicUIEnabledConfig(opts ...cfgFunc) *config.RuntimeConfig {
 func withACLs() cfgFunc {
 	return func(cfg *config.RuntimeConfig) {
 		cfg.PrimaryDatacenter = "dc1"
-		cfg.ACLDefaultPolicy = "deny"
+		cfg.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		cfg.ACLsEnabled = true
 	}
 }