status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-11 14:24:39 +00:00
Code Issues Projects Releases Wiki Activity

Pass the Config and TLS Configurator into the AutoConfig constructor

Browse Source 
This is instead of having the AutoConfigBackend interface provide functions for retrieving them.

NOTE: the config is not reloadable. For now this is fine as we don’t look at any reloadable fields. If that changes then we should provide a way to make it reloadable.
This commit is contained in:
Matt Keeler 2020-07-08 12:36:11 -04:00
parent f2f32735ce
commit 4fb535ba48
No known key found for this signature in database
GPG Key ID: 04DBAE1857E0081B
3 changed files with 45 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
agent/consul/auto_config_endpoint.go
View File

@ -80,27 +80,34 @@ func (a *jwtAuthorizer) Authorize(req *agentpb.AutoConfigRequest) (AutoConfigOpt
} }
type AutoConfigBackend interface { type AutoConfigBackend interface {
GetConfig() *Config
CreateACLToken(template *structs.ACLToken) (*structs.ACLToken, error) CreateACLToken(template *structs.ACLToken) (*structs.ACLToken, error)
DatacenterJoinAddresses(segment string) ([]string, error) DatacenterJoinAddresses(segment string) ([]string, error)
TLSConfigurator() *tlsutil.Configurator
ForwardRPC(method string, info structs.RPCInfo, args, reply interface{}) (bool, error) ForwardRPC(method string, info structs.RPCInfo, args, reply interface{}) (bool, error)
} }
// AutoConfig endpoint is used for cluster auto configuration operations // AutoConfig endpoint is used for cluster auto configuration operations
type AutoConfig struct { type AutoConfig struct {
// currently AutoConfig does not support pushing down any configuration that would be reloadable on the servers
// (outside of some TLS settings such as the configured CA certs which are retrieved via the TLS configurator)
// If that changes then we will need to change this to use an atomic.Value and provide means of reloading it.
config *Config
tlsConfigurator *tlsutil.Configurator
backend AutoConfigBackend backend AutoConfigBackend
authorizer AutoConfigAuthorizer authorizer AutoConfigAuthorizer
} }
// getBackendConfig is a small wrapper around the backend's GetConfig to ensure func NewAutoConfig(conf *Config, tlsConfigurator *tlsutil.Configurator, backend AutoConfigBackend, authz AutoConfigAuthorizer) *AutoConfig {
// that all helper functions have a non-nil configuration to operate on. if conf == nil {
func (ac *AutoConfig) getBackendConfig() *Config { conf = DefaultConfig()
if conf := ac.backend.GetConfig(); conf != nil {
return conf
} }
return DefaultConfig() return &AutoConfig{
config: conf,
tlsConfigurator: tlsConfigurator,
backend: backend,
authorizer: authz,
}
} }
// updateTLSCertificatesInConfig will ensure that the TLS settings regarding how an agent is // updateTLSCertificatesInConfig will ensure that the TLS settings regarding how an agent is
@ -108,28 +115,26 @@ func (ac *AutoConfig) getBackendConfig() *Config {
// in some cases only if auto_encrypt is enabled on the servers. This endpoint has the option // in some cases only if auto_encrypt is enabled on the servers. This endpoint has the option
// to configure auto_encrypt or potentially in the future to generate the certificates inline. // to configure auto_encrypt or potentially in the future to generate the certificates inline.
func (ac *AutoConfig) updateTLSCertificatesInConfig(opts AutoConfigOptions, conf *config.Config) error { func (ac *AutoConfig) updateTLSCertificatesInConfig(opts AutoConfigOptions, conf *config.Config) error {
conf.AutoEncrypt = &config.AutoEncrypt{TLS: ac.getBackendConfig().AutoEncryptAllowTLS} conf.AutoEncrypt = &config.AutoEncrypt{TLS: ac.config.AutoEncryptAllowTLS}
return nil return nil
} }
// updateACLtokensInConfig will configure all of the agents ACL settings and will populate // updateACLtokensInConfig will configure all of the agents ACL settings and will populate
// the configuration with an agent token usable for all default agent operations. // the configuration with an agent token usable for all default agent operations.
func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, conf *config.Config) error { func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, conf *config.Config) error {
backendConf := ac.getBackendConfig()
acl := &config.ACL{ acl := &config.ACL{
Enabled: backendConf.ACLsEnabled, Enabled: ac.config.ACLsEnabled,
PolicyTTL: backendConf.ACLPolicyTTL.String(), PolicyTTL: ac.config.ACLPolicyTTL.String(),
RoleTTL: backendConf.ACLRoleTTL.String(), RoleTTL: ac.config.ACLRoleTTL.String(),
TokenTTL: backendConf.ACLTokenTTL.String(), TokenTTL: ac.config.ACLTokenTTL.String(),
DisabledTTL: backendConf.ACLDisabledTTL.String(), DisabledTTL: ac.config.ACLDisabledTTL.String(),
DownPolicy: backendConf.ACLDownPolicy, DownPolicy: ac.config.ACLDownPolicy,
DefaultPolicy: backendConf.ACLDefaultPolicy, DefaultPolicy: ac.config.ACLDefaultPolicy,
EnableKeyListPolicy: backendConf.ACLEnableKeyListPolicy, EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy,
} }
// when ACLs are enabled we want to create a local token with a node identity // when ACLs are enabled we want to create a local token with a node identity
if backendConf.ACLsEnabled { if ac.config.ACLsEnabled {
// set up the token template - the ids and create // set up the token template - the ids and create
template := structs.ACLToken{ template := structs.ACLToken{
Description: fmt.Sprintf("Auto Config Token for Node %q", opts.NodeName), Description: fmt.Sprintf("Auto Config Token for Node %q", opts.NodeName),
@ -137,7 +142,7 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, conf *config.Co
NodeIdentities: []*structs.ACLNodeIdentity{ NodeIdentities: []*structs.ACLNodeIdentity{
{ {
NodeName: opts.NodeName, NodeName: opts.NodeName,
Datacenter: backendConf.Datacenter, Datacenter: ac.config.Datacenter,
}, },
}, },
EnterpriseMeta: *structs.DefaultEnterpriseMeta(), EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
@ -148,16 +153,6 @@ func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, conf *config.Co
return fmt.Errorf("Failed to generate an ACL token for node %q - %w", opts.NodeName, err) return fmt.Errorf("Failed to generate an ACL token for node %q - %w", opts.NodeName, err)
} }
// req := structs.ACLTokenBatchSetRequest{
// Tokens: structs.ACLTokens{&token},
// CAS: false,
// }
// // perform the request to mint the new token
// if _, err := c.srv.raftApplyMsgpack(structs.ACLTokenSetRequestType, &req); err != nil {
// return err
// }
acl.Tokens = &config.ACLTokens{Agent: token.SecretID} acl.Tokens = &config.ACLTokens{Agent: token.SecretID}
} }
@ -173,14 +168,6 @@ func (ac *AutoConfig) updateJoinAddressesInConfig(opts AutoConfigOptions, conf *
return err return err
} }
// var joinAddrs []string
// for _, m := range members {
// if ok, _ := metadata.IsConsulServer(m); ok {
// serfAddr := net.TCPAddr{IP: m.Addr, Port: int(m.Port)}
// joinAddrs = append(joinAddrs, serfAddr.String())
// }
// }
if conf.Gossip == nil { if conf.Gossip == nil {
conf.Gossip = &config.Gossip{} conf.Gossip = &config.Gossip{}
} }
@ -192,7 +179,7 @@ func (ac *AutoConfig) updateJoinAddressesInConfig(opts AutoConfigOptions, conf *
// updateGossipEncryptionInConfig will populate the gossip encryption configuration settings // updateGossipEncryptionInConfig will populate the gossip encryption configuration settings
func (ac *AutoConfig) updateGossipEncryptionInConfig(_ AutoConfigOptions, conf *config.Config) error { func (ac *AutoConfig) updateGossipEncryptionInConfig(_ AutoConfigOptions, conf *config.Config) error {
// Add gossip encryption settings if there is any key loaded // Add gossip encryption settings if there is any key loaded
memberlistConfig := ac.getBackendConfig().SerfLANConfig.MemberlistConfig memberlistConfig := ac.config.SerfLANConfig.MemberlistConfig
if lanKeyring := memberlistConfig.Keyring; lanKeyring != nil { if lanKeyring := memberlistConfig.Keyring; lanKeyring != nil {
if conf.Gossip == nil { if conf.Gossip == nil {
conf.Gossip = &config.Gossip{} conf.Gossip = &config.Gossip{}
@ -216,8 +203,7 @@ func (ac *AutoConfig) updateGossipEncryptionInConfig(_ AutoConfigOptions, conf *
// updateTLSSettingsInConfig will populate the TLS configuration settings but will not // updateTLSSettingsInConfig will populate the TLS configuration settings but will not
// populate leaf or ca certficiates. // populate leaf or ca certficiates.
func (ac *AutoConfig) updateTLSSettingsInConfig(_ AutoConfigOptions, conf *config.Config) error { func (ac *AutoConfig) updateTLSSettingsInConfig(_ AutoConfigOptions, conf *config.Config) error {
tlsConfigurator := ac.backend.TLSConfigurator() if ac.tlsConfigurator == nil {
if tlsConfigurator == nil {
// TLS is not enabled? // TLS is not enabled?
return nil return nil
} }
@ -227,8 +213,8 @@ func (ac *AutoConfig) updateTLSSettingsInConfig(_ AutoConfigOptions, conf *confi
conf.TLS = &config.TLS{} conf.TLS = &config.TLS{}
} }
conf.TLS.VerifyServerHostname = tlsConfigurator.VerifyServerHostname() conf.TLS.VerifyServerHostname = ac.tlsConfigurator.VerifyServerHostname()
base := tlsConfigurator.Base() base := ac.tlsConfigurator.Base()
conf.TLS.VerifyOutgoing = base.VerifyOutgoing conf.TLS.VerifyOutgoing = base.VerifyOutgoing
conf.TLS.MinVersion = base.TLSMinVersion conf.TLS.MinVersion = base.TLSMinVersion
conf.TLS.PreferServerCipherSuites = base.PreferServerCipherSuites conf.TLS.PreferServerCipherSuites = base.PreferServerCipherSuites
@ -241,14 +227,12 @@ func (ac *AutoConfig) updateTLSSettingsInConfig(_ AutoConfigOptions, conf *confi
// baseConfig will populate the configuration with some base settings such as the // baseConfig will populate the configuration with some base settings such as the
// datacenter names, node name etc. // datacenter names, node name etc.
func (ac *AutoConfig) baseConfig(opts AutoConfigOptions, conf *config.Config) error { func (ac *AutoConfig) baseConfig(opts AutoConfigOptions, conf *config.Config) error {
backendConf := ac.getBackendConfig()
if opts.NodeName == "" { if opts.NodeName == "" {
return fmt.Errorf("Cannot generate auto config response without a node name") return fmt.Errorf("Cannot generate auto config response without a node name")
} }
conf.Datacenter = backendConf.Datacenter conf.Datacenter = ac.config.Datacenter
conf.PrimaryDatacenter = backendConf.PrimaryDatacenter conf.PrimaryDatacenter = ac.config.PrimaryDatacenter
conf.NodeName = opts.NodeName conf.NodeName = opts.NodeName
conf.SegmentName = opts.SegmentName conf.SegmentName = opts.SegmentName
@ -274,19 +258,22 @@ var (
// AgentAutoConfig will authorize the incoming request and then generate the configuration // AgentAutoConfig will authorize the incoming request and then generate the configuration
// to push down to the client // to push down to the client
func (ac *AutoConfig) InitialConfiguration(req *agentpb.AutoConfigRequest, resp *agentpb.AutoConfigResponse) error { func (ac *AutoConfig) InitialConfiguration(req *agentpb.AutoConfigRequest, resp *agentpb.AutoConfigResponse) error {
backendConf := ac.getBackendConfig()
// default the datacenter to our datacenter - agents do not have to specify this as they may not // default the datacenter to our datacenter - agents do not have to specify this as they may not
// yet know the datacenter name they are going to be in. // yet know the datacenter name they are going to be in.
if req.Datacenter == "" { if req.Datacenter == "" {
req.Datacenter = backendConf.Datacenter req.Datacenter = ac.config.Datacenter
} }
// TODO (autoconf) Is performing auto configuration over the WAN really a bad idea? // TODO (autoconf) Is performing auto configuration over the WAN really a bad idea?
if req.Datacenter != backendConf.Datacenter { if req.Datacenter != ac.config.Datacenter {
return fmt.Errorf("invalid datacenter %q - agent auto configuration cannot target a remote datacenter", req.Datacenter) return fmt.Errorf("invalid datacenter %q - agent auto configuration cannot target a remote datacenter", req.Datacenter)
} }
// TODO (autoconf) maybe panic instead?
if ac.backend == nil {
return fmt.Errorf("No Auto Config backend is configured")
}
// forward to the leader // forward to the leader
if done, err := ac.backend.ForwardRPC("AutoConfig.InitialConfiguration", req, req, resp); done { if done, err := ac.backend.ForwardRPC("AutoConfig.InitialConfiguration", req, req, resp); done {
return err return err

46
agent/consul/auto_config_endpoint_test.go
View File

@ -29,13 +29,6 @@ type mockAutoConfigBackend struct {
mock.Mock mock.Mock
} }
func (m *mockAutoConfigBackend) GetConfig() *Config {
ret := m.Called()
// this handles converting an untyped nil to a typed nil
cfg, _ := ret.Get(0).(*Config)
return cfg
}
func (m *mockAutoConfigBackend) CreateACLToken(template *structs.ACLToken) (*structs.ACLToken, error) { func (m *mockAutoConfigBackend) CreateACLToken(template *structs.ACLToken) (*structs.ACLToken, error) {
ret := m.Called(template) ret := m.Called(template)
// this handles converting an untyped nil to a typed nil // this handles converting an untyped nil to a typed nil
@ -50,13 +43,6 @@ func (m *mockAutoConfigBackend) DatacenterJoinAddresses(segment string) ([]strin
return addrs, ret.Error(1) return addrs, ret.Error(1)
} }
func (m *mockAutoConfigBackend) TLSConfigurator() *tlsutil.Configurator {
ret := m.Called()
// this handles converting an untyped nil to a typed nil
cfg, _ := ret.Get(0).(*tlsutil.Configurator)
return cfg
}
func (m *mockAutoConfigBackend) ForwardRPC(method string, info structs.RPCInfo, args, reply interface{}) (bool, error) { func (m *mockAutoConfigBackend) ForwardRPC(method string, info structs.RPCInfo, args, reply interface{}) (bool, error) {
ret := m.Called(method, info, args, reply) ret := m.Called(method, info, args, reply)
return ret.Bool(0), ret.Error(1) return ret.Bool(0), ret.Error(1)
@ -315,11 +301,8 @@ func TestAutoConfig_baseConfig(t *testing.T) {
for name, tcase := range cases { for name, tcase := range cases {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
backend := &mockAutoConfigBackend{}
backend.On("GetConfig").Return(&tcase.serverConfig).Once()
ac := AutoConfig{ ac := AutoConfig{
backend: backend, config: &tcase.serverConfig,
} }
var actual config.Config var actual config.Config
@ -330,8 +313,6 @@ func TestAutoConfig_baseConfig(t *testing.T) {
} else { } else {
testutil.RequireErrorContains(t, err, tcase.err) testutil.RequireErrorContains(t, err, tcase.err)
} }
backend.AssertExpectations(t)
}) })
} }
} }
@ -406,19 +387,14 @@ func TestAutoConfig_updateTLSSettingsInConfig(t *testing.T) {
configurator, err := tlsutil.NewConfigurator(tcase.tlsConfig, logger) configurator, err := tlsutil.NewConfigurator(tcase.tlsConfig, logger)
require.NoError(t, err) require.NoError(t, err)
backend := &mockAutoConfigBackend{}
backend.On("TLSConfigurator").Return(configurator).Once()
ac := &AutoConfig{ ac := &AutoConfig{
backend: backend, tlsConfigurator: configurator,
} }
var actual config.Config var actual config.Config
err = ac.updateTLSSettingsInConfig(AutoConfigOptions{}, &actual) err = ac.updateTLSSettingsInConfig(AutoConfigOptions{}, &actual)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, tcase.expected, actual) require.Equal(t, tcase.expected, actual)
backend.AssertExpectations(t)
}) })
} }
} }
@ -483,19 +459,14 @@ func TestAutoConfig_updateGossipEncryptionInConfig(t *testing.T) {
cfg := DefaultConfig() cfg := DefaultConfig()
cfg.SerfLANConfig.MemberlistConfig = &tcase.conf cfg.SerfLANConfig.MemberlistConfig = &tcase.conf
backend := &mockAutoConfigBackend{}
backend.On("GetConfig").Return(cfg).Once()
ac := AutoConfig{ ac := AutoConfig{
backend: backend, config: cfg,
} }
var actual config.Config var actual config.Config
err := ac.updateGossipEncryptionInConfig(AutoConfigOptions{}, &actual) err := ac.updateGossipEncryptionInConfig(AutoConfigOptions{}, &actual)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, tcase.expected, actual) require.Equal(t, tcase.expected, actual)
backend.AssertExpectations(t)
}) })
} }
} }
@ -529,19 +500,14 @@ func TestAutoConfig_updateTLSCertificatesInConfig(t *testing.T) {
for name, tcase := range cases { for name, tcase := range cases {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
backend := &mockAutoConfigBackend{}
backend.On("GetConfig").Return(&tcase.serverConfig).Once()
ac := AutoConfig{ ac := AutoConfig{
backend: backend, config: &tcase.serverConfig,
} }
var actual config.Config var actual config.Config
err := ac.updateTLSCertificatesInConfig(AutoConfigOptions{}, &actual) err := ac.updateTLSCertificatesInConfig(AutoConfigOptions{}, &actual)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, tcase.expected, actual) require.Equal(t, tcase.expected, actual)
backend.AssertExpectations(t)
}) })
} }
} }
@ -632,8 +598,6 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
for name, tcase := range cases { for name, tcase := range cases {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
backend := &mockAutoConfigBackend{} backend := &mockAutoConfigBackend{}
backend.On("GetConfig").Return(&tcase.config).Once()
expectedTemplate := &structs.ACLToken{ expectedTemplate := &structs.ACLToken{
Description: `Auto Config Token for Node "something"`, Description: `Auto Config Token for Node "something"`,
Local: true, Local: true,
@ -664,7 +628,7 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) {
backend.On("CreateACLToken", expectedTemplate).Return(testToken, tcase.err).Once() backend.On("CreateACLToken", expectedTemplate).Return(testToken, tcase.err).Once()
} }
ac := AutoConfig{backend: backend} ac := AutoConfig{config: &tcase.config, backend: backend}
var actual config.Config var actual config.Config
err := ac.updateACLsInConfig(AutoConfigOptions{NodeName: "something"}, &actual) err := ac.updateACLsInConfig(AutoConfigOptions{NodeName: "something"}, &actual)

14
agent/consul/server.go
View File

@ -876,7 +876,7 @@ func (s *Server) setupRPC() error {
authz = &disabledAuthorizer{} authz = &disabledAuthorizer{}
} }
// now register with the insecure RPC server // now register with the insecure RPC server
s.insecureRPCServer.Register(&AutoConfig{backend: s, authorizer: authz}) s.insecureRPCServer.Register(NewAutoConfig(s.config, s.tlsConfigurator, s, authz))
ln, err := net.ListenTCP("tcp", s.config.RPCAddr) ln, err := net.ListenTCP("tcp", s.config.RPCAddr)
if err != nil { if err != nil {
@ -1502,18 +1502,6 @@ func (s *Server) DatacenterJoinAddresses(segment string) ([]string, error) {
return joinAddrs, nil return joinAddrs, nil
} }
// GetConfig will return the servers configuration - this is needed to satisfy
// interfaces: AutoConfigDelegate
func (s *Server) GetConfig() *Config {
return s.config
}
// TLSConfigurator just returns the servers TLS Configurator - this is needed to satisfy
// interfaces: AutoConfigDelegate
func (s *Server) TLSConfigurator() *tlsutil.Configurator {
return s.tlsConfigurator
}
// peersInfoContent is used to help operators understand what happened to the // peersInfoContent is used to help operators understand what happened to the
// peers.json file. This is written to a file called peers.info in the same // peers.json file. This is written to a file called peers.info in the same
// location. // location.