config: remove ACLResolver settings from RuntimeConfig

2025-01-09 13:26:07 +00:00 · 2021-08-06 18:59:05 -04:00 · 2021-08-06 18:59:05 -04:00 · 17841248dd
commit 17841248dd
parent 31e034215f
8 changed files with 85 additions and 83 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@ -542,13 +542,13 @@ func (a *Agent) Start(ctx context.Context) error {
 	}
 	var intentionDefaultAllow bool
-	switch a.config.ACLDefaultPolicy {
+	switch a.config.ACLResolverSettings.ACLDefaultPolicy {
 	case "allow":
 		intentionDefaultAllow = true
 	case "deny":
 		intentionDefaultAllow = false
 	default:
-		return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy)
+		return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLResolverSettings.ACLDefaultPolicy)
 	}
 	go a.baseDeps.ViewStore.Run(&lib.StopChannelContext{StopCh: a.shutdownCh})
@ -1023,6 +1023,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter
 	cfg.DataDir = runtimeCfg.DataDir
 	cfg.NodeName = runtimeCfg.NodeName
 	cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings
 	cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize
 	cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches
@ -1115,7 +1116,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 	if runtimeCfg.ACLMasterToken != "" {
 		cfg.ACLMasterToken = runtimeCfg.ACLMasterToken
 	}
 	// TODO: cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings
 	cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication
 	cfg.ACLsEnabled = runtimeCfg.ACLsEnabled
 	if runtimeCfg.ACLEnableKeyListPolicy {
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@ -830,7 +830,6 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 	dataDir := stringVal(c.DataDir)
 	rt = RuntimeConfig{
 		// non-user configurable values
 		ACLDisabledTTL:             b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
 		AEInterval:                 b.durationVal("ae_interval", c.AEInterval),
 		CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin),
 		CheckReapInterval:          b.durationVal("check_reap_interval", c.CheckReapInterval),
@ -866,15 +865,23 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		GossipWANRetransmitMult: intVal(c.GossipWAN.RetransmitMult),
 		// ACL
-		ACLsEnabled:            aclsEnabled,
+		ACLsEnabled: aclsEnabled,
-		ACLDefaultPolicy:       stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
+		ACLResolverSettings: consul.ACLResolverSettings{
-		ACLDownPolicy:          stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
+			ACLsEnabled:      aclsEnabled,
 			Datacenter:       datacenter,
 			NodeName:         b.nodeName(c.NodeName),
 			ACLPolicyTTL:     b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
 			ACLTokenTTL:      b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
 			ACLRoleTTL:       b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
 			ACLDisabledTTL:   b.durationVal("acl.disabled_ttl", c.ACL.DisabledTTL),
 			ACLDownPolicy:    stringValWithDefault(c.ACL.DownPolicy, stringVal(c.ACLDownPolicy)),
 			ACLDefaultPolicy: stringValWithDefault(c.ACL.DefaultPolicy, stringVal(c.ACLDefaultPolicy)),
 		},
 		ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)),
 		ACLMasterToken:         stringValWithDefault(c.ACL.Tokens.Master, stringVal(c.ACLMasterToken)),
-		ACLTokenTTL:            b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
+
-		ACLPolicyTTL:           b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
+		ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
 		ACLRoleTTL:             b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
 		ACLTokenReplication:    boolValWithDefault(c.ACL.TokenReplication, boolValWithDefault(c.EnableACLReplication, enableTokenReplication)),
 		ACLTokens: token.Config{
 			DataDir:             dataDir,
--- a/agent/config/runtime.go
+++ b/agent/config/runtime.go
@ -55,13 +55,6 @@ type RuntimeConfig struct {
 	ConsulRaftLeaderLeaseTimeout     time.Duration
 	ConsulServerHealthInterval       time.Duration
 	// ACLDisabledTTL is used by agents to determine how long they will
 	// wait to check again with the servers if they discover ACLs are not
 	// enabled. (not user configurable)
 	//
 	// hcl: acl.disabled_ttl = "duration"
 	ACLDisabledTTL time.Duration
 	// ACLsEnabled is used to determine whether ACLs should be enabled
 	//
 	// hcl: acl.enabled = boolean
@ -69,28 +62,7 @@ type RuntimeConfig struct {
 	ACLTokens token.Config
-	// ACLDefaultPolicy is used to control the ACL interaction when
+	ACLResolverSettings consul.ACLResolverSettings
 	// there is no defined policy. This can be "allow" which means
 	// ACLs are used to deny-list, or "deny" which means ACLs are
 	// allow-lists.
 	//
 	// hcl: acl.default_policy = ("allow"|"deny")
 	ACLDefaultPolicy string
 	// ACLDownPolicy is used to control the ACL interaction when we cannot
 	// reach the PrimaryDatacenter and the token is not in the cache.
 	// There are the following modes:
 	//   * allow - Allow all requests
 	//   * deny - Deny all requests
 	//   * extend-cache - Ignore the cache expiration, and allow cached
 	//                    ACL's to be used to service requests. This
 	//                    is the default. If the ACL is not in the cache,
 	//                    this acts like deny.
 	//   * async-cache - Same behavior as extend-cache, but perform ACL
 	//                   Lookups asynchronously when cache TTL is expired.
 	//
 	// hcl: acl.down_policy = ("allow"|"deny"|"extend-cache"|"async-cache")
 	ACLDownPolicy string
 	// ACLEnableKeyListPolicy is used to opt-in to the "list" policy added to
 	// KV ACLs in Consul 1.0.
@ -114,24 +86,6 @@ type RuntimeConfig struct {
 	// hcl: acl.token_replication = boolean
 	ACLTokenReplication bool
 	// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
 	// a major impact on performance. By default, it is set to 30 seconds.
 	//
 	// hcl: acl.policy_ttl = "duration"
 	ACLTokenTTL time.Duration
 	// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
 	// a major impact on performance. By default, it is set to 30 seconds.
 	//
 	// hcl: acl.token_ttl = "duration"
 	ACLPolicyTTL time.Duration
 	// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
 	// a major impact on performance. By default, it is set to 30 seconds.
 	//
 	// hcl: acl.role_ttl = "duration"
 	ACLRoleTTL time.Duration
 	// AutopilotCleanupDeadServers enables the automatic cleanup of dead servers when new ones
 	// are added to the peer list. Defaults to true.
 	//
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@ -5146,6 +5146,10 @@ func (tc testCase) run(format string, dataDir string) func(t *testing.T) {
 		// case does not need to set this field.
 		require.Equal(t, actual.DataDir, actual.ACLTokens.DataDir)
 		expected.ACLTokens.DataDir = actual.ACLTokens.DataDir
 		// These fields are always the same
 		expected.ACLResolverSettings.Datacenter = expected.Datacenter
 		expected.ACLResolverSettings.ACLsEnabled = expected.ACLsEnabled
 		expected.ACLResolverSettings.NodeName = expected.NodeName
 		assertDeepEqual(t, expected, actual, cmpopts.EquateEmpty())
 	}
@ -5187,7 +5191,6 @@ func TestLoad_FullConfig(t *testing.T) {
 	defaultEntMeta := structs.DefaultEnterpriseMetaInDefaultPartition()
 	expected := &RuntimeConfig{
 		// non-user configurable values
 		ACLDisabledTTL:             120 * time.Second,
 		AEInterval:                 time.Minute,
 		CheckDeregisterIntervalMin: time.Minute,
 		CheckReapInterval:          30 * time.Second,
@ -5232,15 +5235,21 @@ func TestLoad_FullConfig(t *testing.T) {
 			ACLReplicationToken: "5795983a",
 		},
-		ACLsEnabled:                      true,
+		ACLsEnabled:       true,
-		PrimaryDatacenter:                "ejtmd43d",
+		PrimaryDatacenter: "ejtmd43d",
-		ACLDefaultPolicy:                 "72c2e7a0",
+		ACLResolverSettings: consul.ACLResolverSettings{
-		ACLDownPolicy:                    "03eb2aee",
+			ACLsEnabled:      true,
 			Datacenter:       "rzo029wg",
 			NodeName:         "otlLxGaI",
 			ACLDisabledTTL:   120 * time.Second,
 			ACLDefaultPolicy: "72c2e7a0",
 			ACLDownPolicy:    "03eb2aee",
 			ACLTokenTTL:      3321 * time.Second,
 			ACLPolicyTTL:     1123 * time.Second,
 			ACLRoleTTL:       9876 * time.Second,
 		},
 		ACLEnableKeyListPolicy:           true,
 		ACLMasterToken:                   "8a19ac27",
 		ACLTokenTTL:                      3321 * time.Second,
 		ACLPolicyTTL:                     1123 * time.Second,
 		ACLRoleTTL:                       9876 * time.Second,
 		ACLTokenReplication:              true,
 		AdvertiseAddrLAN:                 ipAddr("17.99.29.16"),
 		AdvertiseAddrWAN:                 ipAddr("78.63.37.19"),
--- a/agent/config/testdata/TestRuntimeConfig_Sanitize.golden
+++ b/agent/config/testdata/TestRuntimeConfig_Sanitize.golden
@ -1,13 +1,18 @@
 {
    "ACLDefaultPolicy": "",
    "ACLDisabledTTL": "0s",
    "ACLDownPolicy": "",
    "ACLEnableKeyListPolicy": false,
    "ACLMasterToken": "hidden",
-    "ACLPolicyTTL": "0s",
+    "ACLResolverSettings": {
-    "ACLRoleTTL": "0s",
+        "ACLDefaultPolicy": "",
        "ACLDisabledTTL": "0s",
        "ACLDownPolicy": "",
        "ACLPolicyTTL": "0s",
        "ACLRoleTTL": "0s",
        "ACLTokenTTL": "0s",
        "ACLsEnabled": false,
        "Datacenter": "",
        "NodeName": ""
    },
    "ACLTokenReplication": false,
    "ACLTokenTTL": "0s",
    "ACLTokens": {
        "ACLAgentMasterToken": "hidden",
        "ACLAgentToken": "hidden",
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@ -214,14 +214,42 @@ type ACLResolverConfig struct {
 // TODO: rename the fields to remove the ACL prefix
 type ACLResolverSettings struct {
-	ACLsEnabled      bool
+	ACLsEnabled bool
-	Datacenter       string
+	Datacenter  string
-	NodeName         string
+	NodeName    string
-	ACLPolicyTTL     time.Duration
+
-	ACLTokenTTL      time.Duration
+	// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
-	ACLRoleTTL       time.Duration
+	// a major impact on performance. By default, it is set to 30 seconds.
-	ACLDisabledTTL   time.Duration
+	ACLPolicyTTL time.Duration
-	ACLDownPolicy    string
+	// ACLTokenTTL is used to control the time-to-live of cached ACL tokens. This has
 	// a major impact on performance. By default, it is set to 30 seconds.
 	ACLTokenTTL time.Duration
 	// ACLRoleTTL is used to control the time-to-live of cached ACL roles. This has
 	// a major impact on performance. By default, it is set to 30 seconds.
 	ACLRoleTTL time.Duration
 	// ACLDisabledTTL is used by agents to determine how long they will
 	// wait to check again with the servers if they discover ACLs are not
 	// enabled. (not user configurable)
 	ACLDisabledTTL time.Duration
 	// ACLDownPolicy is used to control the ACL interaction when we cannot
 	// reach the PrimaryDatacenter and the token is not in the cache.
 	// There are the following modes:
 	//   * allow - Allow all requests
 	//   * deny - Deny all requests
 	//   * extend-cache - Ignore the cache expiration, and allow cached
 	//                    ACL's to be used to service requests. This
 	//                    is the default. If the ACL is not in the cache,
 	//                    this acts like deny.
 	//   * async-cache - Same behavior as extend-cache, but perform ACL
 	//                   Lookups asynchronously when cache TTL is expired.
 	ACLDownPolicy string
 	// ACLDefaultPolicy is used to control the ACL interaction when
 	// there is no defined policy. This can be "allow" which means
 	// ACLs are used to deny-list, or "deny" which means ACLs are
 	// allow-lists.
 	ACLDefaultPolicy string
 }
@ -251,7 +279,6 @@ type ACLResolverSettings struct {
 //   upon.
 //
 type ACLResolver struct {
 	// TODO: store the ACLResolverConfig as a field instead of copying all the fields onto ACLResolver.
 	config ACLResolverSettings
 	logger hclog.Logger
--- a/agent/http.go
+++ b/agent/http.go
@ -362,7 +362,7 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
 	return func(resp http.ResponseWriter, req *http.Request) {
 		setHeaders(resp, s.agent.config.HTTPResponseHeaders)
 		setTranslateAddr(resp, s.agent.config.TranslateWANAddrs)
-		setACLDefaultPolicy(resp, s.agent.config.ACLDefaultPolicy)
+		setACLDefaultPolicy(resp, s.agent.config.ACLResolverSettings.ACLDefaultPolicy)
 		// Obfuscate any tokens from appearing in the logs
 		formVals, err := url.ParseQuery(req.URL.RawQuery)
--- a/agent/uiserver/uiserver_test.go
+++ b/agent/uiserver/uiserver_test.go
@ -227,7 +227,7 @@ func basicUIEnabledConfig(opts ...cfgFunc) *config.RuntimeConfig {
 func withACLs() cfgFunc {
 	return func(cfg *config.RuntimeConfig) {
 		cfg.PrimaryDatacenter = "dc1"
-		cfg.ACLDefaultPolicy = "deny"
+		cfg.ACLResolverSettings.ACLDefaultPolicy = "deny"
 		cfg.ACLsEnabled = true
 	}
 }