From 9919e5dfa5eba8988a3fe77a259e47c3ff9d137f Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 29 Jul 2020 13:49:52 -0400 Subject: [PATCH 1/3] agent: unmethod consulConfig To allow us to move newConsulConfig out of Agent. --- agent/agent.go | 352 +++++++++++++++++++++++---------------------- agent/agent_oss.go | 3 +- agent/testagent.go | 5 +- 3 files changed, 183 insertions(+), 177 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 78cb883365..7aca04c35a 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -671,11 +671,19 @@ func (a *Agent) Start(ctx context.Context) error { a.sync = ae.NewStateSyncer(a.State, c.AEInterval, a.shutdownCh, a.logger) // create the config for the rpc server/client - consulCfg, err := a.consulConfig() + consulCfg, err := newConsulConfig(a.config, a.logger) if err != nil { return err } + // Setup the user event callback + consulCfg.UserEventHandler = func(e serf.UserEvent) { + select { + case a.eventCh <- e: + case <-a.shutdownCh: + } + } + // ServerUp is used to inform that a new consul server is now // up. This can be used to speed up the sync process if we are blocking // waiting to discover a consul server @@ -1260,154 +1268,155 @@ func (a *Agent) reloadWatches(cfg *config.RuntimeConfig) error { return nil } -// consulConfig is used to return a consul configuration -func (a *Agent) consulConfig() (*consul.Config, error) { +// newConsulConfig translates a RuntimeConfig into a consul.Config. +// FIXME: move this function to a different file, maybe config.go +func newConsulConfig(config *config.RuntimeConfig, logger hclog.Logger) (*consul.Config, error) { // Start with the provided config or default config base := consul.DefaultConfig() // This is set when the agent starts up - base.NodeID = a.config.NodeID + base.NodeID = config.NodeID // Apply dev mode - base.DevMode = a.config.DevMode + base.DevMode = config.DevMode // Override with our config // todo(fs): these are now always set in the runtime config so we can simplify this // todo(fs): or is there a reason to keep it like that? - base.Datacenter = a.config.Datacenter - base.PrimaryDatacenter = a.config.PrimaryDatacenter - base.DataDir = a.config.DataDir - base.NodeName = a.config.NodeName + base.Datacenter = config.Datacenter + base.PrimaryDatacenter = config.PrimaryDatacenter + base.DataDir = config.DataDir + base.NodeName = config.NodeName - base.CoordinateUpdateBatchSize = a.config.ConsulCoordinateUpdateBatchSize - base.CoordinateUpdateMaxBatches = a.config.ConsulCoordinateUpdateMaxBatches - base.CoordinateUpdatePeriod = a.config.ConsulCoordinateUpdatePeriod - base.CheckOutputMaxSize = a.config.CheckOutputMaxSize + base.CoordinateUpdateBatchSize = config.ConsulCoordinateUpdateBatchSize + base.CoordinateUpdateMaxBatches = config.ConsulCoordinateUpdateMaxBatches + base.CoordinateUpdatePeriod = config.ConsulCoordinateUpdatePeriod + base.CheckOutputMaxSize = config.CheckOutputMaxSize - base.RaftConfig.HeartbeatTimeout = a.config.ConsulRaftHeartbeatTimeout - base.RaftConfig.LeaderLeaseTimeout = a.config.ConsulRaftLeaderLeaseTimeout - base.RaftConfig.ElectionTimeout = a.config.ConsulRaftElectionTimeout + base.RaftConfig.HeartbeatTimeout = config.ConsulRaftHeartbeatTimeout + base.RaftConfig.LeaderLeaseTimeout = config.ConsulRaftLeaderLeaseTimeout + base.RaftConfig.ElectionTimeout = config.ConsulRaftElectionTimeout - base.SerfLANConfig.MemberlistConfig.BindAddr = a.config.SerfBindAddrLAN.IP.String() - base.SerfLANConfig.MemberlistConfig.BindPort = a.config.SerfBindAddrLAN.Port - base.SerfLANConfig.MemberlistConfig.CIDRsAllowed = a.config.SerfAllowedCIDRsLAN - base.SerfWANConfig.MemberlistConfig.CIDRsAllowed = a.config.SerfAllowedCIDRsWAN - base.SerfLANConfig.MemberlistConfig.AdvertiseAddr = a.config.SerfAdvertiseAddrLAN.IP.String() - base.SerfLANConfig.MemberlistConfig.AdvertisePort = a.config.SerfAdvertiseAddrLAN.Port - base.SerfLANConfig.MemberlistConfig.GossipVerifyIncoming = a.config.EncryptVerifyIncoming - base.SerfLANConfig.MemberlistConfig.GossipVerifyOutgoing = a.config.EncryptVerifyOutgoing - base.SerfLANConfig.MemberlistConfig.GossipInterval = a.config.GossipLANGossipInterval - base.SerfLANConfig.MemberlistConfig.GossipNodes = a.config.GossipLANGossipNodes - base.SerfLANConfig.MemberlistConfig.ProbeInterval = a.config.GossipLANProbeInterval - base.SerfLANConfig.MemberlistConfig.ProbeTimeout = a.config.GossipLANProbeTimeout - base.SerfLANConfig.MemberlistConfig.SuspicionMult = a.config.GossipLANSuspicionMult - base.SerfLANConfig.MemberlistConfig.RetransmitMult = a.config.GossipLANRetransmitMult - if a.config.ReconnectTimeoutLAN != 0 { - base.SerfLANConfig.ReconnectTimeout = a.config.ReconnectTimeoutLAN + base.SerfLANConfig.MemberlistConfig.BindAddr = config.SerfBindAddrLAN.IP.String() + base.SerfLANConfig.MemberlistConfig.BindPort = config.SerfBindAddrLAN.Port + base.SerfLANConfig.MemberlistConfig.CIDRsAllowed = config.SerfAllowedCIDRsLAN + base.SerfWANConfig.MemberlistConfig.CIDRsAllowed = config.SerfAllowedCIDRsWAN + base.SerfLANConfig.MemberlistConfig.AdvertiseAddr = config.SerfAdvertiseAddrLAN.IP.String() + base.SerfLANConfig.MemberlistConfig.AdvertisePort = config.SerfAdvertiseAddrLAN.Port + base.SerfLANConfig.MemberlistConfig.GossipVerifyIncoming = config.EncryptVerifyIncoming + base.SerfLANConfig.MemberlistConfig.GossipVerifyOutgoing = config.EncryptVerifyOutgoing + base.SerfLANConfig.MemberlistConfig.GossipInterval = config.GossipLANGossipInterval + base.SerfLANConfig.MemberlistConfig.GossipNodes = config.GossipLANGossipNodes + base.SerfLANConfig.MemberlistConfig.ProbeInterval = config.GossipLANProbeInterval + base.SerfLANConfig.MemberlistConfig.ProbeTimeout = config.GossipLANProbeTimeout + base.SerfLANConfig.MemberlistConfig.SuspicionMult = config.GossipLANSuspicionMult + base.SerfLANConfig.MemberlistConfig.RetransmitMult = config.GossipLANRetransmitMult + if config.ReconnectTimeoutLAN != 0 { + base.SerfLANConfig.ReconnectTimeout = config.ReconnectTimeoutLAN } - if a.config.SerfBindAddrWAN != nil { - base.SerfWANConfig.MemberlistConfig.BindAddr = a.config.SerfBindAddrWAN.IP.String() - base.SerfWANConfig.MemberlistConfig.BindPort = a.config.SerfBindAddrWAN.Port - base.SerfWANConfig.MemberlistConfig.AdvertiseAddr = a.config.SerfAdvertiseAddrWAN.IP.String() - base.SerfWANConfig.MemberlistConfig.AdvertisePort = a.config.SerfAdvertiseAddrWAN.Port - base.SerfWANConfig.MemberlistConfig.GossipVerifyIncoming = a.config.EncryptVerifyIncoming - base.SerfWANConfig.MemberlistConfig.GossipVerifyOutgoing = a.config.EncryptVerifyOutgoing - base.SerfWANConfig.MemberlistConfig.GossipInterval = a.config.GossipWANGossipInterval - base.SerfWANConfig.MemberlistConfig.GossipNodes = a.config.GossipWANGossipNodes - base.SerfWANConfig.MemberlistConfig.ProbeInterval = a.config.GossipWANProbeInterval - base.SerfWANConfig.MemberlistConfig.ProbeTimeout = a.config.GossipWANProbeTimeout - base.SerfWANConfig.MemberlistConfig.SuspicionMult = a.config.GossipWANSuspicionMult - base.SerfWANConfig.MemberlistConfig.RetransmitMult = a.config.GossipWANRetransmitMult - if a.config.ReconnectTimeoutWAN != 0 { - base.SerfWANConfig.ReconnectTimeout = a.config.ReconnectTimeoutWAN + if config.SerfBindAddrWAN != nil { + base.SerfWANConfig.MemberlistConfig.BindAddr = config.SerfBindAddrWAN.IP.String() + base.SerfWANConfig.MemberlistConfig.BindPort = config.SerfBindAddrWAN.Port + base.SerfWANConfig.MemberlistConfig.AdvertiseAddr = config.SerfAdvertiseAddrWAN.IP.String() + base.SerfWANConfig.MemberlistConfig.AdvertisePort = config.SerfAdvertiseAddrWAN.Port + base.SerfWANConfig.MemberlistConfig.GossipVerifyIncoming = config.EncryptVerifyIncoming + base.SerfWANConfig.MemberlistConfig.GossipVerifyOutgoing = config.EncryptVerifyOutgoing + base.SerfWANConfig.MemberlistConfig.GossipInterval = config.GossipWANGossipInterval + base.SerfWANConfig.MemberlistConfig.GossipNodes = config.GossipWANGossipNodes + base.SerfWANConfig.MemberlistConfig.ProbeInterval = config.GossipWANProbeInterval + base.SerfWANConfig.MemberlistConfig.ProbeTimeout = config.GossipWANProbeTimeout + base.SerfWANConfig.MemberlistConfig.SuspicionMult = config.GossipWANSuspicionMult + base.SerfWANConfig.MemberlistConfig.RetransmitMult = config.GossipWANRetransmitMult + if config.ReconnectTimeoutWAN != 0 { + base.SerfWANConfig.ReconnectTimeout = config.ReconnectTimeoutWAN } } else { // Disable serf WAN federation base.SerfWANConfig = nil } - base.RPCAddr = a.config.RPCBindAddr - base.RPCAdvertise = a.config.RPCAdvertiseAddr + base.RPCAddr = config.RPCBindAddr + base.RPCAdvertise = config.RPCAdvertiseAddr - base.Segment = a.config.SegmentName - if len(a.config.Segments) > 0 { - segments, err := a.segmentConfig() + base.Segment = config.SegmentName + if len(config.Segments) > 0 { + segments, err := segmentConfig(config) if err != nil { return nil, err } base.Segments = segments } - if a.config.Bootstrap { + if config.Bootstrap { base.Bootstrap = true } - if a.config.CheckOutputMaxSize > 0 { - base.CheckOutputMaxSize = a.config.CheckOutputMaxSize + if config.CheckOutputMaxSize > 0 { + base.CheckOutputMaxSize = config.CheckOutputMaxSize } - if a.config.RejoinAfterLeave { + if config.RejoinAfterLeave { base.RejoinAfterLeave = true } - if a.config.BootstrapExpect != 0 { - base.BootstrapExpect = a.config.BootstrapExpect + if config.BootstrapExpect != 0 { + base.BootstrapExpect = config.BootstrapExpect } - if a.config.RPCProtocol > 0 { - base.ProtocolVersion = uint8(a.config.RPCProtocol) + if config.RPCProtocol > 0 { + base.ProtocolVersion = uint8(config.RPCProtocol) } - if a.config.RaftProtocol != 0 { - base.RaftConfig.ProtocolVersion = raft.ProtocolVersion(a.config.RaftProtocol) + if config.RaftProtocol != 0 { + base.RaftConfig.ProtocolVersion = raft.ProtocolVersion(config.RaftProtocol) } - if a.config.RaftSnapshotThreshold != 0 { - base.RaftConfig.SnapshotThreshold = uint64(a.config.RaftSnapshotThreshold) + if config.RaftSnapshotThreshold != 0 { + base.RaftConfig.SnapshotThreshold = uint64(config.RaftSnapshotThreshold) } - if a.config.RaftSnapshotInterval != 0 { - base.RaftConfig.SnapshotInterval = a.config.RaftSnapshotInterval + if config.RaftSnapshotInterval != 0 { + base.RaftConfig.SnapshotInterval = config.RaftSnapshotInterval } - if a.config.RaftTrailingLogs != 0 { - base.RaftConfig.TrailingLogs = uint64(a.config.RaftTrailingLogs) + if config.RaftTrailingLogs != 0 { + base.RaftConfig.TrailingLogs = uint64(config.RaftTrailingLogs) } - if a.config.ACLMasterToken != "" { - base.ACLMasterToken = a.config.ACLMasterToken + if config.ACLMasterToken != "" { + base.ACLMasterToken = config.ACLMasterToken } - if a.config.ACLDatacenter != "" { - base.ACLDatacenter = a.config.ACLDatacenter + if config.ACLDatacenter != "" { + base.ACLDatacenter = config.ACLDatacenter } - if a.config.ACLTokenTTL != 0 { - base.ACLTokenTTL = a.config.ACLTokenTTL + if config.ACLTokenTTL != 0 { + base.ACLTokenTTL = config.ACLTokenTTL } - if a.config.ACLPolicyTTL != 0 { - base.ACLPolicyTTL = a.config.ACLPolicyTTL + if config.ACLPolicyTTL != 0 { + base.ACLPolicyTTL = config.ACLPolicyTTL } - if a.config.ACLRoleTTL != 0 { - base.ACLRoleTTL = a.config.ACLRoleTTL + if config.ACLRoleTTL != 0 { + base.ACLRoleTTL = config.ACLRoleTTL } - if a.config.ACLDefaultPolicy != "" { - base.ACLDefaultPolicy = a.config.ACLDefaultPolicy + if config.ACLDefaultPolicy != "" { + base.ACLDefaultPolicy = config.ACLDefaultPolicy } - if a.config.ACLDownPolicy != "" { - base.ACLDownPolicy = a.config.ACLDownPolicy + if config.ACLDownPolicy != "" { + base.ACLDownPolicy = config.ACLDownPolicy } - base.ACLTokenReplication = a.config.ACLTokenReplication - base.ACLsEnabled = a.config.ACLsEnabled - if a.config.ACLEnableKeyListPolicy { - base.ACLEnableKeyListPolicy = a.config.ACLEnableKeyListPolicy + base.ACLTokenReplication = config.ACLTokenReplication + base.ACLsEnabled = config.ACLsEnabled + if config.ACLEnableKeyListPolicy { + base.ACLEnableKeyListPolicy = config.ACLEnableKeyListPolicy } - if a.config.SessionTTLMin != 0 { - base.SessionTTLMin = a.config.SessionTTLMin + if config.SessionTTLMin != 0 { + base.SessionTTLMin = config.SessionTTLMin } - if a.config.NonVotingServer { - base.NonVoter = a.config.NonVotingServer + if config.NonVotingServer { + base.NonVoter = config.NonVotingServer } // These are fully specified in the agent defaults, so we can simply // copy them over. - base.AutopilotConfig.CleanupDeadServers = a.config.AutopilotCleanupDeadServers - base.AutopilotConfig.LastContactThreshold = a.config.AutopilotLastContactThreshold - base.AutopilotConfig.MaxTrailingLogs = uint64(a.config.AutopilotMaxTrailingLogs) - base.AutopilotConfig.MinQuorum = a.config.AutopilotMinQuorum - base.AutopilotConfig.ServerStabilizationTime = a.config.AutopilotServerStabilizationTime - base.AutopilotConfig.RedundancyZoneTag = a.config.AutopilotRedundancyZoneTag - base.AutopilotConfig.DisableUpgradeMigration = a.config.AutopilotDisableUpgradeMigration - base.AutopilotConfig.UpgradeVersionTag = a.config.AutopilotUpgradeVersionTag + base.AutopilotConfig.CleanupDeadServers = config.AutopilotCleanupDeadServers + base.AutopilotConfig.LastContactThreshold = config.AutopilotLastContactThreshold + base.AutopilotConfig.MaxTrailingLogs = uint64(config.AutopilotMaxTrailingLogs) + base.AutopilotConfig.MinQuorum = config.AutopilotMinQuorum + base.AutopilotConfig.ServerStabilizationTime = config.AutopilotServerStabilizationTime + base.AutopilotConfig.RedundancyZoneTag = config.AutopilotRedundancyZoneTag + base.AutopilotConfig.DisableUpgradeMigration = config.AutopilotDisableUpgradeMigration + base.AutopilotConfig.UpgradeVersionTag = config.AutopilotUpgradeVersionTag // make sure the advertise address is always set if base.RPCAdvertise == nil { @@ -1415,27 +1424,27 @@ func (a *Agent) consulConfig() (*consul.Config, error) { } // Rate limiting for RPC calls. - if a.config.RPCRateLimit > 0 { - base.RPCRate = a.config.RPCRateLimit + if config.RPCRateLimit > 0 { + base.RPCRate = config.RPCRateLimit } - if a.config.RPCMaxBurst > 0 { - base.RPCMaxBurst = a.config.RPCMaxBurst + if config.RPCMaxBurst > 0 { + base.RPCMaxBurst = config.RPCMaxBurst } // RPC timeouts/limits. - if a.config.RPCHandshakeTimeout > 0 { - base.RPCHandshakeTimeout = a.config.RPCHandshakeTimeout + if config.RPCHandshakeTimeout > 0 { + base.RPCHandshakeTimeout = config.RPCHandshakeTimeout } - if a.config.RPCMaxConnsPerClient > 0 { - base.RPCMaxConnsPerClient = a.config.RPCMaxConnsPerClient + if config.RPCMaxConnsPerClient > 0 { + base.RPCMaxConnsPerClient = config.RPCMaxConnsPerClient } // RPC-related performance configs. We allow explicit zero value to disable so // copy it whatever the value. - base.RPCHoldTimeout = a.config.RPCHoldTimeout + base.RPCHoldTimeout = config.RPCHoldTimeout - if a.config.LeaveDrainTime > 0 { - base.LeaveDrainTime = a.config.LeaveDrainTime + if config.LeaveDrainTime > 0 { + base.LeaveDrainTime = config.LeaveDrainTime } // set the src address for outgoing rpc connections @@ -1445,39 +1454,39 @@ func (a *Agent) consulConfig() (*consul.Config, error) { } // Format the build string - revision := a.config.Revision + revision := config.Revision if len(revision) > 8 { revision = revision[:8] } - base.Build = fmt.Sprintf("%s%s:%s", a.config.Version, a.config.VersionPrerelease, revision) + base.Build = fmt.Sprintf("%s%s:%s", config.Version, config.VersionPrerelease, revision) // Copy the TLS configuration - base.VerifyIncoming = a.config.VerifyIncoming || a.config.VerifyIncomingRPC - if a.config.CAPath != "" || a.config.CAFile != "" { + base.VerifyIncoming = config.VerifyIncoming || config.VerifyIncomingRPC + if config.CAPath != "" || config.CAFile != "" { base.UseTLS = true } - base.VerifyOutgoing = a.config.VerifyOutgoing - base.VerifyServerHostname = a.config.VerifyServerHostname - base.CAFile = a.config.CAFile - base.CAPath = a.config.CAPath - base.CertFile = a.config.CertFile - base.KeyFile = a.config.KeyFile - base.ServerName = a.config.ServerName - base.Domain = a.config.DNSDomain - base.TLSMinVersion = a.config.TLSMinVersion - base.TLSCipherSuites = a.config.TLSCipherSuites - base.TLSPreferServerCipherSuites = a.config.TLSPreferServerCipherSuites - base.DefaultQueryTime = a.config.DefaultQueryTime - base.MaxQueryTime = a.config.MaxQueryTime + base.VerifyOutgoing = config.VerifyOutgoing + base.VerifyServerHostname = config.VerifyServerHostname + base.CAFile = config.CAFile + base.CAPath = config.CAPath + base.CertFile = config.CertFile + base.KeyFile = config.KeyFile + base.ServerName = config.ServerName + base.Domain = config.DNSDomain + base.TLSMinVersion = config.TLSMinVersion + base.TLSCipherSuites = config.TLSCipherSuites + base.TLSPreferServerCipherSuites = config.TLSPreferServerCipherSuites + base.DefaultQueryTime = config.DefaultQueryTime + base.MaxQueryTime = config.MaxQueryTime - base.AutoEncryptAllowTLS = a.config.AutoEncryptAllowTLS + base.AutoEncryptAllowTLS = config.AutoEncryptAllowTLS // Copy the Connect CA bootstrap config - if a.config.ConnectEnabled { + if config.ConnectEnabled { base.ConnectEnabled = true - base.ConnectMeshGatewayWANFederationEnabled = a.config.ConnectMeshGatewayWANFederationEnabled + base.ConnectMeshGatewayWANFederationEnabled = config.ConnectMeshGatewayWANFederationEnabled - ca, err := a.config.ConnectCAConfiguration() + ca, err := config.ConnectCAConfiguration() if err != nil { return nil, err } @@ -1486,40 +1495,33 @@ func (a *Agent) consulConfig() (*consul.Config, error) { } // copy over auto config settings - base.AutoConfigEnabled = a.config.AutoConfig.Enabled - base.AutoConfigIntroToken = a.config.AutoConfig.IntroToken - base.AutoConfigIntroTokenFile = a.config.AutoConfig.IntroTokenFile - base.AutoConfigServerAddresses = a.config.AutoConfig.ServerAddresses - base.AutoConfigDNSSANs = a.config.AutoConfig.DNSSANs - base.AutoConfigIPSANs = a.config.AutoConfig.IPSANs - base.AutoConfigAuthzEnabled = a.config.AutoConfig.Authorizer.Enabled - base.AutoConfigAuthzAuthMethod = a.config.AutoConfig.Authorizer.AuthMethod - base.AutoConfigAuthzClaimAssertions = a.config.AutoConfig.Authorizer.ClaimAssertions - base.AutoConfigAuthzAllowReuse = a.config.AutoConfig.Authorizer.AllowReuse - - // Setup the user event callback - base.UserEventHandler = func(e serf.UserEvent) { - select { - case a.eventCh <- e: - case <-a.shutdownCh: - } - } + base.AutoConfigEnabled = config.AutoConfig.Enabled + base.AutoConfigIntroToken = config.AutoConfig.IntroToken + base.AutoConfigIntroTokenFile = config.AutoConfig.IntroTokenFile + base.AutoConfigServerAddresses = config.AutoConfig.ServerAddresses + base.AutoConfigDNSSANs = config.AutoConfig.DNSSANs + base.AutoConfigIPSANs = config.AutoConfig.IPSANs + base.AutoConfigAuthzEnabled = config.AutoConfig.Authorizer.Enabled + base.AutoConfigAuthzAuthMethod = config.AutoConfig.Authorizer.AuthMethod + base.AutoConfigAuthzClaimAssertions = config.AutoConfig.Authorizer.ClaimAssertions + base.AutoConfigAuthzAllowReuse = config.AutoConfig.Authorizer.AllowReuse // This will set up the LAN keyring, as well as the WAN and any segments // for servers. - if err := a.setupKeyrings(base); err != nil { + // FIXME: move this to remove the need to pass in logger. + if err := setupKeyrings(base, config, logger); err != nil { return nil, fmt.Errorf("Failed to configure keyring: %v", err) } - base.ConfigEntryBootstrap = a.config.ConfigEntryBootstrap + base.ConfigEntryBootstrap = config.ConfigEntryBootstrap - return a.enterpriseConsulConfig(base) + enterpriseConsulConfig(base, config) + return base, nil } // Setup the serf and memberlist config for any defined network segments. -func (a *Agent) segmentConfig() ([]consul.NetworkSegment, error) { +func segmentConfig(config *config.RuntimeConfig) ([]consul.NetworkSegment, error) { var segments []consul.NetworkSegment - config := a.config for _, s := range config.Segments { serfConf := consul.DefaultConfig().SerfLANConfig @@ -1543,7 +1545,7 @@ func (a *Agent) segmentConfig() ([]consul.NetworkSegment, error) { if s.RPCListener { rpcAddr = &net.TCPAddr{ IP: s.Bind.IP, - Port: a.config.ServerPort, + Port: config.ServerPort, } } @@ -1561,20 +1563,21 @@ func (a *Agent) segmentConfig() ([]consul.NetworkSegment, error) { } // setupBaseKeyrings configures the LAN and WAN keyrings. -func (a *Agent) setupBaseKeyrings(config *consul.Config) error { +// FIXME: move this function to a different file. maybe keyring.go, or config.go +func setupBaseKeyrings(config *consul.Config, rtConfig *config.RuntimeConfig, logger hclog.Logger) error { // If the keyring file is disabled then just poke the provided key // into the in-memory keyring. federationEnabled := config.SerfWANConfig != nil - if a.config.DisableKeyringFile { - if a.config.EncryptKey == "" { + if rtConfig.DisableKeyringFile { + if rtConfig.EncryptKey == "" { return nil } - keys := []string{a.config.EncryptKey} + keys := []string{rtConfig.EncryptKey} if err := loadKeyring(config.SerfLANConfig, keys); err != nil { return err } - if a.config.ServerMode && federationEnabled { + if rtConfig.ServerMode && federationEnabled { if err := loadKeyring(config.SerfWANConfig, keys); err != nil { return err } @@ -1583,23 +1586,23 @@ func (a *Agent) setupBaseKeyrings(config *consul.Config) error { } // Otherwise, we need to deal with the keyring files. - fileLAN := filepath.Join(a.config.DataDir, SerfLANKeyring) - fileWAN := filepath.Join(a.config.DataDir, SerfWANKeyring) + fileLAN := filepath.Join(rtConfig.DataDir, SerfLANKeyring) + fileWAN := filepath.Join(rtConfig.DataDir, SerfWANKeyring) var existingLANKeyring, existingWANKeyring bool - if a.config.EncryptKey == "" { + if rtConfig.EncryptKey == "" { goto LOAD } if _, err := os.Stat(fileLAN); err != nil { - if err := initKeyring(fileLAN, a.config.EncryptKey); err != nil { + if err := initKeyring(fileLAN, rtConfig.EncryptKey); err != nil { return err } } else { existingLANKeyring = true } - if a.config.ServerMode && federationEnabled { + if rtConfig.ServerMode && federationEnabled { if _, err := os.Stat(fileWAN); err != nil { - if err := initKeyring(fileWAN, a.config.EncryptKey); err != nil { + if err := initKeyring(fileWAN, rtConfig.EncryptKey); err != nil { return err } } else { @@ -1614,7 +1617,7 @@ LOAD: if err := loadKeyringFile(config.SerfLANConfig); err != nil { return err } - if a.config.ServerMode && federationEnabled { + if rtConfig.ServerMode && federationEnabled { if _, err := os.Stat(fileWAN); err == nil { config.SerfWANConfig.KeyringFile = fileWAN } @@ -1625,21 +1628,21 @@ LOAD: // Only perform the following checks if there was an encrypt_key // provided in the configuration. - if a.config.EncryptKey != "" { + if rtConfig.EncryptKey != "" { msg := " keyring doesn't include key provided with -encrypt, using keyring" if existingLANKeyring && keyringIsMissingKey( config.SerfLANConfig.MemberlistConfig.Keyring, - a.config.EncryptKey, + rtConfig.EncryptKey, ) { - a.logger.Warn(msg, "keyring", "LAN") + logger.Warn(msg, "keyring", "LAN") } if existingWANKeyring && keyringIsMissingKey( config.SerfWANConfig.MemberlistConfig.Keyring, - a.config.EncryptKey, + rtConfig.EncryptKey, ) { - a.logger.Warn(msg, "keyring", "WAN") + logger.Warn(msg, "keyring", "WAN") } } @@ -1647,9 +1650,10 @@ LOAD: } // setupKeyrings is used to initialize and load keyrings during agent startup. -func (a *Agent) setupKeyrings(config *consul.Config) error { +// FIXME: move this function to a different file. maybe keyring.go, or config.go +func setupKeyrings(config *consul.Config, rtConfig *config.RuntimeConfig, logger hclog.Logger) error { // First set up the LAN and WAN keyrings. - if err := a.setupBaseKeyrings(config); err != nil { + if err := setupBaseKeyrings(config, rtConfig, logger); err != nil { return err } @@ -4123,7 +4127,7 @@ func (a *Agent) reloadConfigInternal(newCfg *config.RuntimeConfig) error { } // create the config for the rpc server/client - consulCfg, err := a.consulConfig() + consulCfg, err := newConsulConfig(a.config, a.logger) if err != nil { return err } diff --git a/agent/agent_oss.go b/agent/agent_oss.go index f5be5e59ef..03b2f7ef52 100644 --- a/agent/agent_oss.go +++ b/agent/agent_oss.go @@ -33,8 +33,7 @@ func (a *Agent) reloadEnterprise(conf *config.RuntimeConfig) error { } // enterpriseConsulConfig is a noop stub for the func defined in agent_ent.go -func (a *Agent) enterpriseConsulConfig(base *consul.Config) (*consul.Config, error) { - return base, nil +func enterpriseConsulConfig(_ *consul.Config, _ *config.RuntimeConfig) { } // WriteEvent is a noop stub for the func defined agent_ent.go diff --git a/agent/testagent.go b/agent/testagent.go index d68ae26ec6..387c3efbea 100644 --- a/agent/testagent.go +++ b/agent/testagent.go @@ -413,8 +413,11 @@ func (a *TestAgent) DNSDisableCompression(b bool) { } } +// FIXME: this should t.Fatal on error, not panic. +// TODO: rename to newConsulConfig +// TODO: remove TestAgent receiver, accept a.Agent.config as an arg func (a *TestAgent) consulConfig() *consul.Config { - c, err := a.Agent.consulConfig() + c, err := newConsulConfig(a.Agent.config, a.Agent.logger) if err != nil { panic(err) } From 7b5b170a0d8252f7b7b1383529fa62c8c278b8d2 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Mon, 10 Aug 2020 20:20:06 -0400 Subject: [PATCH 2/3] agent: Move setupKeyring functions to keyring.go There are a couple reasons for this change: 1. agent.go is way too big. Smaller files makes code eaasier to read because tools that show usage also include filename which can give a lot more context to someone trying to understand which functions call other functions. 2. these two functions call into a large number of functions already in keyring.go. --- agent/agent.go | 121 +---------------------------------------------- agent/keyring.go | 116 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+), 119 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 7aca04c35a..75afef97e1 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -51,7 +51,6 @@ import ( "github.com/hashicorp/consul/tlsutil" "github.com/hashicorp/consul/types" "github.com/hashicorp/go-multierror" - "github.com/hashicorp/memberlist" "github.com/hashicorp/raft" "github.com/hashicorp/serf/serf" "golang.org/x/net/http2" @@ -1269,7 +1268,7 @@ func (a *Agent) reloadWatches(cfg *config.RuntimeConfig) error { } // newConsulConfig translates a RuntimeConfig into a consul.Config. -// FIXME: move this function to a different file, maybe config.go +// TODO: move this function to a different file, maybe config.go func newConsulConfig(config *config.RuntimeConfig, logger hclog.Logger) (*consul.Config, error) { // Start with the provided config or default config base := consul.DefaultConfig() @@ -1508,7 +1507,7 @@ func newConsulConfig(config *config.RuntimeConfig, logger hclog.Logger) (*consul // This will set up the LAN keyring, as well as the WAN and any segments // for servers. - // FIXME: move this to remove the need to pass in logger. + // TODO: move this closer to where the keyrings will be used. if err := setupKeyrings(base, config, logger); err != nil { return nil, fmt.Errorf("Failed to configure keyring: %v", err) } @@ -1562,122 +1561,6 @@ func segmentConfig(config *config.RuntimeConfig) ([]consul.NetworkSegment, error return segments, nil } -// setupBaseKeyrings configures the LAN and WAN keyrings. -// FIXME: move this function to a different file. maybe keyring.go, or config.go -func setupBaseKeyrings(config *consul.Config, rtConfig *config.RuntimeConfig, logger hclog.Logger) error { - // If the keyring file is disabled then just poke the provided key - // into the in-memory keyring. - federationEnabled := config.SerfWANConfig != nil - if rtConfig.DisableKeyringFile { - if rtConfig.EncryptKey == "" { - return nil - } - - keys := []string{rtConfig.EncryptKey} - if err := loadKeyring(config.SerfLANConfig, keys); err != nil { - return err - } - if rtConfig.ServerMode && federationEnabled { - if err := loadKeyring(config.SerfWANConfig, keys); err != nil { - return err - } - } - return nil - } - - // Otherwise, we need to deal with the keyring files. - fileLAN := filepath.Join(rtConfig.DataDir, SerfLANKeyring) - fileWAN := filepath.Join(rtConfig.DataDir, SerfWANKeyring) - - var existingLANKeyring, existingWANKeyring bool - if rtConfig.EncryptKey == "" { - goto LOAD - } - if _, err := os.Stat(fileLAN); err != nil { - if err := initKeyring(fileLAN, rtConfig.EncryptKey); err != nil { - return err - } - } else { - existingLANKeyring = true - } - if rtConfig.ServerMode && federationEnabled { - if _, err := os.Stat(fileWAN); err != nil { - if err := initKeyring(fileWAN, rtConfig.EncryptKey); err != nil { - return err - } - } else { - existingWANKeyring = true - } - } - -LOAD: - if _, err := os.Stat(fileLAN); err == nil { - config.SerfLANConfig.KeyringFile = fileLAN - } - if err := loadKeyringFile(config.SerfLANConfig); err != nil { - return err - } - if rtConfig.ServerMode && federationEnabled { - if _, err := os.Stat(fileWAN); err == nil { - config.SerfWANConfig.KeyringFile = fileWAN - } - if err := loadKeyringFile(config.SerfWANConfig); err != nil { - return err - } - } - - // Only perform the following checks if there was an encrypt_key - // provided in the configuration. - if rtConfig.EncryptKey != "" { - msg := " keyring doesn't include key provided with -encrypt, using keyring" - if existingLANKeyring && - keyringIsMissingKey( - config.SerfLANConfig.MemberlistConfig.Keyring, - rtConfig.EncryptKey, - ) { - logger.Warn(msg, "keyring", "LAN") - } - if existingWANKeyring && - keyringIsMissingKey( - config.SerfWANConfig.MemberlistConfig.Keyring, - rtConfig.EncryptKey, - ) { - logger.Warn(msg, "keyring", "WAN") - } - } - - return nil -} - -// setupKeyrings is used to initialize and load keyrings during agent startup. -// FIXME: move this function to a different file. maybe keyring.go, or config.go -func setupKeyrings(config *consul.Config, rtConfig *config.RuntimeConfig, logger hclog.Logger) error { - // First set up the LAN and WAN keyrings. - if err := setupBaseKeyrings(config, rtConfig, logger); err != nil { - return err - } - - // If there's no LAN keyring then there's nothing else to set up for - // any segments. - lanKeyring := config.SerfLANConfig.MemberlistConfig.Keyring - if lanKeyring == nil { - return nil - } - - // Copy the initial state of the LAN keyring into each segment config. - // Segments don't have their own keyring file, they rely on the LAN - // holding the state so things can't get out of sync. - k, pk := lanKeyring.GetKeys(), lanKeyring.GetPrimaryKey() - for _, segment := range config.Segments { - keyring, err := memberlist.NewKeyring(k, pk) - if err != nil { - return err - } - segment.SerfConfig.MemberlistConfig.Keyring = keyring - } - return nil -} - // registerEndpoint registers a handler for the consul RPC server // under a unique name while making it accessible under the provided // name. This allows overwriting handlers for the golang net/rpc diff --git a/agent/keyring.go b/agent/keyring.go index 48c1ebc0ba..c6a91e2b74 100644 --- a/agent/keyring.go +++ b/agent/keyring.go @@ -9,8 +9,10 @@ import ( "os" "path/filepath" + "github.com/hashicorp/consul/agent/config" "github.com/hashicorp/consul/agent/consul" "github.com/hashicorp/consul/agent/structs" + "github.com/hashicorp/go-hclog" "github.com/hashicorp/memberlist" "github.com/hashicorp/serf/serf" ) @@ -20,6 +22,120 @@ const ( SerfWANKeyring = "serf/remote.keyring" ) +// setupKeyrings in config.SerfLANConfig and config.SerfWANConfig. +func setupKeyrings(config *consul.Config, rtConfig *config.RuntimeConfig, logger hclog.Logger) error { + // First set up the LAN and WAN keyrings. + if err := setupBaseKeyrings(config, rtConfig, logger); err != nil { + return err + } + + // If there's no LAN keyring then there's nothing else to set up for + // any segments. + lanKeyring := config.SerfLANConfig.MemberlistConfig.Keyring + if lanKeyring == nil { + return nil + } + + // Copy the initial state of the LAN keyring into each segment config. + // Segments don't have their own keyring file, they rely on the LAN + // holding the state so things can't get out of sync. + k, pk := lanKeyring.GetKeys(), lanKeyring.GetPrimaryKey() + for _, segment := range config.Segments { + keyring, err := memberlist.NewKeyring(k, pk) + if err != nil { + return err + } + segment.SerfConfig.MemberlistConfig.Keyring = keyring + } + return nil +} + +// setupBaseKeyrings configures the LAN and WAN keyrings. +func setupBaseKeyrings(config *consul.Config, rtConfig *config.RuntimeConfig, logger hclog.Logger) error { + // If the keyring file is disabled then just poke the provided key + // into the in-memory keyring. + federationEnabled := config.SerfWANConfig != nil + if rtConfig.DisableKeyringFile { + if rtConfig.EncryptKey == "" { + return nil + } + + keys := []string{rtConfig.EncryptKey} + if err := loadKeyring(config.SerfLANConfig, keys); err != nil { + return err + } + if rtConfig.ServerMode && federationEnabled { + if err := loadKeyring(config.SerfWANConfig, keys); err != nil { + return err + } + } + return nil + } + + // Otherwise, we need to deal with the keyring files. + fileLAN := filepath.Join(rtConfig.DataDir, SerfLANKeyring) + fileWAN := filepath.Join(rtConfig.DataDir, SerfWANKeyring) + + var existingLANKeyring, existingWANKeyring bool + if rtConfig.EncryptKey == "" { + goto LOAD + } + if _, err := os.Stat(fileLAN); err != nil { + if err := initKeyring(fileLAN, rtConfig.EncryptKey); err != nil { + return err + } + } else { + existingLANKeyring = true + } + if rtConfig.ServerMode && federationEnabled { + if _, err := os.Stat(fileWAN); err != nil { + if err := initKeyring(fileWAN, rtConfig.EncryptKey); err != nil { + return err + } + } else { + existingWANKeyring = true + } + } + +LOAD: + if _, err := os.Stat(fileLAN); err == nil { + config.SerfLANConfig.KeyringFile = fileLAN + } + if err := loadKeyringFile(config.SerfLANConfig); err != nil { + return err + } + if rtConfig.ServerMode && federationEnabled { + if _, err := os.Stat(fileWAN); err == nil { + config.SerfWANConfig.KeyringFile = fileWAN + } + if err := loadKeyringFile(config.SerfWANConfig); err != nil { + return err + } + } + + // Only perform the following checks if there was an encrypt_key + // provided in the configuration. + if rtConfig.EncryptKey != "" { + msg := " keyring doesn't include key provided with -encrypt, using keyring" + if existingLANKeyring && + keyringIsMissingKey( + config.SerfLANConfig.MemberlistConfig.Keyring, + rtConfig.EncryptKey, + ) { + logger.Warn(msg, "keyring", "LAN") + } + if existingWANKeyring && + keyringIsMissingKey( + config.SerfWANConfig.MemberlistConfig.Keyring, + rtConfig.EncryptKey, + ) { + logger.Warn(msg, "keyring", "WAN") + } + } + + return nil +} + // initKeyring will create a keyring file at a given path. func initKeyring(path, key string) error { var keys []string From 399c77dfb676c48b9a42f600237120616fbd1364 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 11 Aug 2020 12:20:46 -0400 Subject: [PATCH 3/3] agent: rename vars in newConsulConfig 'base' is a bit misleading, since it is the return value. Renamed to cfg. --- agent/agent.go | 317 ++++++++++++++++++++++++------------------------- 1 file changed, 158 insertions(+), 159 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 75afef97e1..8dfd6450ca 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1269,253 +1269,252 @@ func (a *Agent) reloadWatches(cfg *config.RuntimeConfig) error { // newConsulConfig translates a RuntimeConfig into a consul.Config. // TODO: move this function to a different file, maybe config.go -func newConsulConfig(config *config.RuntimeConfig, logger hclog.Logger) (*consul.Config, error) { - // Start with the provided config or default config - base := consul.DefaultConfig() +func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*consul.Config, error) { + cfg := consul.DefaultConfig() // This is set when the agent starts up - base.NodeID = config.NodeID + cfg.NodeID = runtimeCfg.NodeID // Apply dev mode - base.DevMode = config.DevMode + cfg.DevMode = runtimeCfg.DevMode - // Override with our config - // todo(fs): these are now always set in the runtime config so we can simplify this + // Override with our runtimeCfg + // todo(fs): these are now always set in the runtime runtimeCfg so we can simplify this // todo(fs): or is there a reason to keep it like that? - base.Datacenter = config.Datacenter - base.PrimaryDatacenter = config.PrimaryDatacenter - base.DataDir = config.DataDir - base.NodeName = config.NodeName + cfg.Datacenter = runtimeCfg.Datacenter + cfg.PrimaryDatacenter = runtimeCfg.PrimaryDatacenter + cfg.DataDir = runtimeCfg.DataDir + cfg.NodeName = runtimeCfg.NodeName - base.CoordinateUpdateBatchSize = config.ConsulCoordinateUpdateBatchSize - base.CoordinateUpdateMaxBatches = config.ConsulCoordinateUpdateMaxBatches - base.CoordinateUpdatePeriod = config.ConsulCoordinateUpdatePeriod - base.CheckOutputMaxSize = config.CheckOutputMaxSize + cfg.CoordinateUpdateBatchSize = runtimeCfg.ConsulCoordinateUpdateBatchSize + cfg.CoordinateUpdateMaxBatches = runtimeCfg.ConsulCoordinateUpdateMaxBatches + cfg.CoordinateUpdatePeriod = runtimeCfg.ConsulCoordinateUpdatePeriod + cfg.CheckOutputMaxSize = runtimeCfg.CheckOutputMaxSize - base.RaftConfig.HeartbeatTimeout = config.ConsulRaftHeartbeatTimeout - base.RaftConfig.LeaderLeaseTimeout = config.ConsulRaftLeaderLeaseTimeout - base.RaftConfig.ElectionTimeout = config.ConsulRaftElectionTimeout + cfg.RaftConfig.HeartbeatTimeout = runtimeCfg.ConsulRaftHeartbeatTimeout + cfg.RaftConfig.LeaderLeaseTimeout = runtimeCfg.ConsulRaftLeaderLeaseTimeout + cfg.RaftConfig.ElectionTimeout = runtimeCfg.ConsulRaftElectionTimeout - base.SerfLANConfig.MemberlistConfig.BindAddr = config.SerfBindAddrLAN.IP.String() - base.SerfLANConfig.MemberlistConfig.BindPort = config.SerfBindAddrLAN.Port - base.SerfLANConfig.MemberlistConfig.CIDRsAllowed = config.SerfAllowedCIDRsLAN - base.SerfWANConfig.MemberlistConfig.CIDRsAllowed = config.SerfAllowedCIDRsWAN - base.SerfLANConfig.MemberlistConfig.AdvertiseAddr = config.SerfAdvertiseAddrLAN.IP.String() - base.SerfLANConfig.MemberlistConfig.AdvertisePort = config.SerfAdvertiseAddrLAN.Port - base.SerfLANConfig.MemberlistConfig.GossipVerifyIncoming = config.EncryptVerifyIncoming - base.SerfLANConfig.MemberlistConfig.GossipVerifyOutgoing = config.EncryptVerifyOutgoing - base.SerfLANConfig.MemberlistConfig.GossipInterval = config.GossipLANGossipInterval - base.SerfLANConfig.MemberlistConfig.GossipNodes = config.GossipLANGossipNodes - base.SerfLANConfig.MemberlistConfig.ProbeInterval = config.GossipLANProbeInterval - base.SerfLANConfig.MemberlistConfig.ProbeTimeout = config.GossipLANProbeTimeout - base.SerfLANConfig.MemberlistConfig.SuspicionMult = config.GossipLANSuspicionMult - base.SerfLANConfig.MemberlistConfig.RetransmitMult = config.GossipLANRetransmitMult - if config.ReconnectTimeoutLAN != 0 { - base.SerfLANConfig.ReconnectTimeout = config.ReconnectTimeoutLAN + cfg.SerfLANConfig.MemberlistConfig.BindAddr = runtimeCfg.SerfBindAddrLAN.IP.String() + cfg.SerfLANConfig.MemberlistConfig.BindPort = runtimeCfg.SerfBindAddrLAN.Port + cfg.SerfLANConfig.MemberlistConfig.CIDRsAllowed = runtimeCfg.SerfAllowedCIDRsLAN + cfg.SerfWANConfig.MemberlistConfig.CIDRsAllowed = runtimeCfg.SerfAllowedCIDRsWAN + cfg.SerfLANConfig.MemberlistConfig.AdvertiseAddr = runtimeCfg.SerfAdvertiseAddrLAN.IP.String() + cfg.SerfLANConfig.MemberlistConfig.AdvertisePort = runtimeCfg.SerfAdvertiseAddrLAN.Port + cfg.SerfLANConfig.MemberlistConfig.GossipVerifyIncoming = runtimeCfg.EncryptVerifyIncoming + cfg.SerfLANConfig.MemberlistConfig.GossipVerifyOutgoing = runtimeCfg.EncryptVerifyOutgoing + cfg.SerfLANConfig.MemberlistConfig.GossipInterval = runtimeCfg.GossipLANGossipInterval + cfg.SerfLANConfig.MemberlistConfig.GossipNodes = runtimeCfg.GossipLANGossipNodes + cfg.SerfLANConfig.MemberlistConfig.ProbeInterval = runtimeCfg.GossipLANProbeInterval + cfg.SerfLANConfig.MemberlistConfig.ProbeTimeout = runtimeCfg.GossipLANProbeTimeout + cfg.SerfLANConfig.MemberlistConfig.SuspicionMult = runtimeCfg.GossipLANSuspicionMult + cfg.SerfLANConfig.MemberlistConfig.RetransmitMult = runtimeCfg.GossipLANRetransmitMult + if runtimeCfg.ReconnectTimeoutLAN != 0 { + cfg.SerfLANConfig.ReconnectTimeout = runtimeCfg.ReconnectTimeoutLAN } - if config.SerfBindAddrWAN != nil { - base.SerfWANConfig.MemberlistConfig.BindAddr = config.SerfBindAddrWAN.IP.String() - base.SerfWANConfig.MemberlistConfig.BindPort = config.SerfBindAddrWAN.Port - base.SerfWANConfig.MemberlistConfig.AdvertiseAddr = config.SerfAdvertiseAddrWAN.IP.String() - base.SerfWANConfig.MemberlistConfig.AdvertisePort = config.SerfAdvertiseAddrWAN.Port - base.SerfWANConfig.MemberlistConfig.GossipVerifyIncoming = config.EncryptVerifyIncoming - base.SerfWANConfig.MemberlistConfig.GossipVerifyOutgoing = config.EncryptVerifyOutgoing - base.SerfWANConfig.MemberlistConfig.GossipInterval = config.GossipWANGossipInterval - base.SerfWANConfig.MemberlistConfig.GossipNodes = config.GossipWANGossipNodes - base.SerfWANConfig.MemberlistConfig.ProbeInterval = config.GossipWANProbeInterval - base.SerfWANConfig.MemberlistConfig.ProbeTimeout = config.GossipWANProbeTimeout - base.SerfWANConfig.MemberlistConfig.SuspicionMult = config.GossipWANSuspicionMult - base.SerfWANConfig.MemberlistConfig.RetransmitMult = config.GossipWANRetransmitMult - if config.ReconnectTimeoutWAN != 0 { - base.SerfWANConfig.ReconnectTimeout = config.ReconnectTimeoutWAN + if runtimeCfg.SerfBindAddrWAN != nil { + cfg.SerfWANConfig.MemberlistConfig.BindAddr = runtimeCfg.SerfBindAddrWAN.IP.String() + cfg.SerfWANConfig.MemberlistConfig.BindPort = runtimeCfg.SerfBindAddrWAN.Port + cfg.SerfWANConfig.MemberlistConfig.AdvertiseAddr = runtimeCfg.SerfAdvertiseAddrWAN.IP.String() + cfg.SerfWANConfig.MemberlistConfig.AdvertisePort = runtimeCfg.SerfAdvertiseAddrWAN.Port + cfg.SerfWANConfig.MemberlistConfig.GossipVerifyIncoming = runtimeCfg.EncryptVerifyIncoming + cfg.SerfWANConfig.MemberlistConfig.GossipVerifyOutgoing = runtimeCfg.EncryptVerifyOutgoing + cfg.SerfWANConfig.MemberlistConfig.GossipInterval = runtimeCfg.GossipWANGossipInterval + cfg.SerfWANConfig.MemberlistConfig.GossipNodes = runtimeCfg.GossipWANGossipNodes + cfg.SerfWANConfig.MemberlistConfig.ProbeInterval = runtimeCfg.GossipWANProbeInterval + cfg.SerfWANConfig.MemberlistConfig.ProbeTimeout = runtimeCfg.GossipWANProbeTimeout + cfg.SerfWANConfig.MemberlistConfig.SuspicionMult = runtimeCfg.GossipWANSuspicionMult + cfg.SerfWANConfig.MemberlistConfig.RetransmitMult = runtimeCfg.GossipWANRetransmitMult + if runtimeCfg.ReconnectTimeoutWAN != 0 { + cfg.SerfWANConfig.ReconnectTimeout = runtimeCfg.ReconnectTimeoutWAN } } else { // Disable serf WAN federation - base.SerfWANConfig = nil + cfg.SerfWANConfig = nil } - base.RPCAddr = config.RPCBindAddr - base.RPCAdvertise = config.RPCAdvertiseAddr + cfg.RPCAddr = runtimeCfg.RPCBindAddr + cfg.RPCAdvertise = runtimeCfg.RPCAdvertiseAddr - base.Segment = config.SegmentName - if len(config.Segments) > 0 { - segments, err := segmentConfig(config) + cfg.Segment = runtimeCfg.SegmentName + if len(runtimeCfg.Segments) > 0 { + segments, err := segmentConfig(runtimeCfg) if err != nil { return nil, err } - base.Segments = segments + cfg.Segments = segments } - if config.Bootstrap { - base.Bootstrap = true + if runtimeCfg.Bootstrap { + cfg.Bootstrap = true } - if config.CheckOutputMaxSize > 0 { - base.CheckOutputMaxSize = config.CheckOutputMaxSize + if runtimeCfg.CheckOutputMaxSize > 0 { + cfg.CheckOutputMaxSize = runtimeCfg.CheckOutputMaxSize } - if config.RejoinAfterLeave { - base.RejoinAfterLeave = true + if runtimeCfg.RejoinAfterLeave { + cfg.RejoinAfterLeave = true } - if config.BootstrapExpect != 0 { - base.BootstrapExpect = config.BootstrapExpect + if runtimeCfg.BootstrapExpect != 0 { + cfg.BootstrapExpect = runtimeCfg.BootstrapExpect } - if config.RPCProtocol > 0 { - base.ProtocolVersion = uint8(config.RPCProtocol) + if runtimeCfg.RPCProtocol > 0 { + cfg.ProtocolVersion = uint8(runtimeCfg.RPCProtocol) } - if config.RaftProtocol != 0 { - base.RaftConfig.ProtocolVersion = raft.ProtocolVersion(config.RaftProtocol) + if runtimeCfg.RaftProtocol != 0 { + cfg.RaftConfig.ProtocolVersion = raft.ProtocolVersion(runtimeCfg.RaftProtocol) } - if config.RaftSnapshotThreshold != 0 { - base.RaftConfig.SnapshotThreshold = uint64(config.RaftSnapshotThreshold) + if runtimeCfg.RaftSnapshotThreshold != 0 { + cfg.RaftConfig.SnapshotThreshold = uint64(runtimeCfg.RaftSnapshotThreshold) } - if config.RaftSnapshotInterval != 0 { - base.RaftConfig.SnapshotInterval = config.RaftSnapshotInterval + if runtimeCfg.RaftSnapshotInterval != 0 { + cfg.RaftConfig.SnapshotInterval = runtimeCfg.RaftSnapshotInterval } - if config.RaftTrailingLogs != 0 { - base.RaftConfig.TrailingLogs = uint64(config.RaftTrailingLogs) + if runtimeCfg.RaftTrailingLogs != 0 { + cfg.RaftConfig.TrailingLogs = uint64(runtimeCfg.RaftTrailingLogs) } - if config.ACLMasterToken != "" { - base.ACLMasterToken = config.ACLMasterToken + if runtimeCfg.ACLMasterToken != "" { + cfg.ACLMasterToken = runtimeCfg.ACLMasterToken } - if config.ACLDatacenter != "" { - base.ACLDatacenter = config.ACLDatacenter + if runtimeCfg.ACLDatacenter != "" { + cfg.ACLDatacenter = runtimeCfg.ACLDatacenter } - if config.ACLTokenTTL != 0 { - base.ACLTokenTTL = config.ACLTokenTTL + if runtimeCfg.ACLTokenTTL != 0 { + cfg.ACLTokenTTL = runtimeCfg.ACLTokenTTL } - if config.ACLPolicyTTL != 0 { - base.ACLPolicyTTL = config.ACLPolicyTTL + if runtimeCfg.ACLPolicyTTL != 0 { + cfg.ACLPolicyTTL = runtimeCfg.ACLPolicyTTL } - if config.ACLRoleTTL != 0 { - base.ACLRoleTTL = config.ACLRoleTTL + if runtimeCfg.ACLRoleTTL != 0 { + cfg.ACLRoleTTL = runtimeCfg.ACLRoleTTL } - if config.ACLDefaultPolicy != "" { - base.ACLDefaultPolicy = config.ACLDefaultPolicy + if runtimeCfg.ACLDefaultPolicy != "" { + cfg.ACLDefaultPolicy = runtimeCfg.ACLDefaultPolicy } - if config.ACLDownPolicy != "" { - base.ACLDownPolicy = config.ACLDownPolicy + if runtimeCfg.ACLDownPolicy != "" { + cfg.ACLDownPolicy = runtimeCfg.ACLDownPolicy } - base.ACLTokenReplication = config.ACLTokenReplication - base.ACLsEnabled = config.ACLsEnabled - if config.ACLEnableKeyListPolicy { - base.ACLEnableKeyListPolicy = config.ACLEnableKeyListPolicy + cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication + cfg.ACLsEnabled = runtimeCfg.ACLsEnabled + if runtimeCfg.ACLEnableKeyListPolicy { + cfg.ACLEnableKeyListPolicy = runtimeCfg.ACLEnableKeyListPolicy } - if config.SessionTTLMin != 0 { - base.SessionTTLMin = config.SessionTTLMin + if runtimeCfg.SessionTTLMin != 0 { + cfg.SessionTTLMin = runtimeCfg.SessionTTLMin } - if config.NonVotingServer { - base.NonVoter = config.NonVotingServer + if runtimeCfg.NonVotingServer { + cfg.NonVoter = runtimeCfg.NonVotingServer } // These are fully specified in the agent defaults, so we can simply // copy them over. - base.AutopilotConfig.CleanupDeadServers = config.AutopilotCleanupDeadServers - base.AutopilotConfig.LastContactThreshold = config.AutopilotLastContactThreshold - base.AutopilotConfig.MaxTrailingLogs = uint64(config.AutopilotMaxTrailingLogs) - base.AutopilotConfig.MinQuorum = config.AutopilotMinQuorum - base.AutopilotConfig.ServerStabilizationTime = config.AutopilotServerStabilizationTime - base.AutopilotConfig.RedundancyZoneTag = config.AutopilotRedundancyZoneTag - base.AutopilotConfig.DisableUpgradeMigration = config.AutopilotDisableUpgradeMigration - base.AutopilotConfig.UpgradeVersionTag = config.AutopilotUpgradeVersionTag + cfg.AutopilotConfig.CleanupDeadServers = runtimeCfg.AutopilotCleanupDeadServers + cfg.AutopilotConfig.LastContactThreshold = runtimeCfg.AutopilotLastContactThreshold + cfg.AutopilotConfig.MaxTrailingLogs = uint64(runtimeCfg.AutopilotMaxTrailingLogs) + cfg.AutopilotConfig.MinQuorum = runtimeCfg.AutopilotMinQuorum + cfg.AutopilotConfig.ServerStabilizationTime = runtimeCfg.AutopilotServerStabilizationTime + cfg.AutopilotConfig.RedundancyZoneTag = runtimeCfg.AutopilotRedundancyZoneTag + cfg.AutopilotConfig.DisableUpgradeMigration = runtimeCfg.AutopilotDisableUpgradeMigration + cfg.AutopilotConfig.UpgradeVersionTag = runtimeCfg.AutopilotUpgradeVersionTag // make sure the advertise address is always set - if base.RPCAdvertise == nil { - base.RPCAdvertise = base.RPCAddr + if cfg.RPCAdvertise == nil { + cfg.RPCAdvertise = cfg.RPCAddr } // Rate limiting for RPC calls. - if config.RPCRateLimit > 0 { - base.RPCRate = config.RPCRateLimit + if runtimeCfg.RPCRateLimit > 0 { + cfg.RPCRate = runtimeCfg.RPCRateLimit } - if config.RPCMaxBurst > 0 { - base.RPCMaxBurst = config.RPCMaxBurst + if runtimeCfg.RPCMaxBurst > 0 { + cfg.RPCMaxBurst = runtimeCfg.RPCMaxBurst } // RPC timeouts/limits. - if config.RPCHandshakeTimeout > 0 { - base.RPCHandshakeTimeout = config.RPCHandshakeTimeout + if runtimeCfg.RPCHandshakeTimeout > 0 { + cfg.RPCHandshakeTimeout = runtimeCfg.RPCHandshakeTimeout } - if config.RPCMaxConnsPerClient > 0 { - base.RPCMaxConnsPerClient = config.RPCMaxConnsPerClient + if runtimeCfg.RPCMaxConnsPerClient > 0 { + cfg.RPCMaxConnsPerClient = runtimeCfg.RPCMaxConnsPerClient } // RPC-related performance configs. We allow explicit zero value to disable so // copy it whatever the value. - base.RPCHoldTimeout = config.RPCHoldTimeout + cfg.RPCHoldTimeout = runtimeCfg.RPCHoldTimeout - if config.LeaveDrainTime > 0 { - base.LeaveDrainTime = config.LeaveDrainTime + if runtimeCfg.LeaveDrainTime > 0 { + cfg.LeaveDrainTime = runtimeCfg.LeaveDrainTime } // set the src address for outgoing rpc connections // Use port 0 so that outgoing connections use a random port. - if !ipaddr.IsAny(base.RPCAddr.IP) { - base.RPCSrcAddr = &net.TCPAddr{IP: base.RPCAddr.IP} + if !ipaddr.IsAny(cfg.RPCAddr.IP) { + cfg.RPCSrcAddr = &net.TCPAddr{IP: cfg.RPCAddr.IP} } // Format the build string - revision := config.Revision + revision := runtimeCfg.Revision if len(revision) > 8 { revision = revision[:8] } - base.Build = fmt.Sprintf("%s%s:%s", config.Version, config.VersionPrerelease, revision) + cfg.Build = fmt.Sprintf("%s%s:%s", runtimeCfg.Version, runtimeCfg.VersionPrerelease, revision) // Copy the TLS configuration - base.VerifyIncoming = config.VerifyIncoming || config.VerifyIncomingRPC - if config.CAPath != "" || config.CAFile != "" { - base.UseTLS = true + cfg.VerifyIncoming = runtimeCfg.VerifyIncoming || runtimeCfg.VerifyIncomingRPC + if runtimeCfg.CAPath != "" || runtimeCfg.CAFile != "" { + cfg.UseTLS = true } - base.VerifyOutgoing = config.VerifyOutgoing - base.VerifyServerHostname = config.VerifyServerHostname - base.CAFile = config.CAFile - base.CAPath = config.CAPath - base.CertFile = config.CertFile - base.KeyFile = config.KeyFile - base.ServerName = config.ServerName - base.Domain = config.DNSDomain - base.TLSMinVersion = config.TLSMinVersion - base.TLSCipherSuites = config.TLSCipherSuites - base.TLSPreferServerCipherSuites = config.TLSPreferServerCipherSuites - base.DefaultQueryTime = config.DefaultQueryTime - base.MaxQueryTime = config.MaxQueryTime + cfg.VerifyOutgoing = runtimeCfg.VerifyOutgoing + cfg.VerifyServerHostname = runtimeCfg.VerifyServerHostname + cfg.CAFile = runtimeCfg.CAFile + cfg.CAPath = runtimeCfg.CAPath + cfg.CertFile = runtimeCfg.CertFile + cfg.KeyFile = runtimeCfg.KeyFile + cfg.ServerName = runtimeCfg.ServerName + cfg.Domain = runtimeCfg.DNSDomain + cfg.TLSMinVersion = runtimeCfg.TLSMinVersion + cfg.TLSCipherSuites = runtimeCfg.TLSCipherSuites + cfg.TLSPreferServerCipherSuites = runtimeCfg.TLSPreferServerCipherSuites + cfg.DefaultQueryTime = runtimeCfg.DefaultQueryTime + cfg.MaxQueryTime = runtimeCfg.MaxQueryTime - base.AutoEncryptAllowTLS = config.AutoEncryptAllowTLS + cfg.AutoEncryptAllowTLS = runtimeCfg.AutoEncryptAllowTLS - // Copy the Connect CA bootstrap config - if config.ConnectEnabled { - base.ConnectEnabled = true - base.ConnectMeshGatewayWANFederationEnabled = config.ConnectMeshGatewayWANFederationEnabled + // Copy the Connect CA bootstrap runtimeCfg + if runtimeCfg.ConnectEnabled { + cfg.ConnectEnabled = true + cfg.ConnectMeshGatewayWANFederationEnabled = runtimeCfg.ConnectMeshGatewayWANFederationEnabled - ca, err := config.ConnectCAConfiguration() + ca, err := runtimeCfg.ConnectCAConfiguration() if err != nil { return nil, err } - base.CAConfig = ca + cfg.CAConfig = ca } - // copy over auto config settings - base.AutoConfigEnabled = config.AutoConfig.Enabled - base.AutoConfigIntroToken = config.AutoConfig.IntroToken - base.AutoConfigIntroTokenFile = config.AutoConfig.IntroTokenFile - base.AutoConfigServerAddresses = config.AutoConfig.ServerAddresses - base.AutoConfigDNSSANs = config.AutoConfig.DNSSANs - base.AutoConfigIPSANs = config.AutoConfig.IPSANs - base.AutoConfigAuthzEnabled = config.AutoConfig.Authorizer.Enabled - base.AutoConfigAuthzAuthMethod = config.AutoConfig.Authorizer.AuthMethod - base.AutoConfigAuthzClaimAssertions = config.AutoConfig.Authorizer.ClaimAssertions - base.AutoConfigAuthzAllowReuse = config.AutoConfig.Authorizer.AllowReuse + // copy over auto runtimeCfg settings + cfg.AutoConfigEnabled = runtimeCfg.AutoConfig.Enabled + cfg.AutoConfigIntroToken = runtimeCfg.AutoConfig.IntroToken + cfg.AutoConfigIntroTokenFile = runtimeCfg.AutoConfig.IntroTokenFile + cfg.AutoConfigServerAddresses = runtimeCfg.AutoConfig.ServerAddresses + cfg.AutoConfigDNSSANs = runtimeCfg.AutoConfig.DNSSANs + cfg.AutoConfigIPSANs = runtimeCfg.AutoConfig.IPSANs + cfg.AutoConfigAuthzEnabled = runtimeCfg.AutoConfig.Authorizer.Enabled + cfg.AutoConfigAuthzAuthMethod = runtimeCfg.AutoConfig.Authorizer.AuthMethod + cfg.AutoConfigAuthzClaimAssertions = runtimeCfg.AutoConfig.Authorizer.ClaimAssertions + cfg.AutoConfigAuthzAllowReuse = runtimeCfg.AutoConfig.Authorizer.AllowReuse // This will set up the LAN keyring, as well as the WAN and any segments // for servers. // TODO: move this closer to where the keyrings will be used. - if err := setupKeyrings(base, config, logger); err != nil { + if err := setupKeyrings(cfg, runtimeCfg, logger); err != nil { return nil, fmt.Errorf("Failed to configure keyring: %v", err) } - base.ConfigEntryBootstrap = config.ConfigEntryBootstrap + cfg.ConfigEntryBootstrap = runtimeCfg.ConfigEntryBootstrap - enterpriseConsulConfig(base, config) - return base, nil + enterpriseConsulConfig(cfg, runtimeCfg) + return cfg, nil } // Setup the serf and memberlist config for any defined network segments.