diff --git a/agent/config/builder.go b/agent/config/builder.go index 4eb3afef17..ae5ffd17ba 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -626,10 +626,40 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { consulRaftHeartbeatTimeout := b.durationVal("consul.raft.heartbeat_timeout", c.Consul.Raft.HeartbeatTimeout) * time.Duration(performanceRaftMultiplier) consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier) - // Connect proxy defaults. + // Connect connectEnabled := b.boolVal(c.Connect.Enabled) connectCAProvider := b.stringVal(c.Connect.CAProvider) connectCAConfig := c.Connect.CAConfig + + // autoEncrypt and autoConfig implicitly turns on connect which is why + // they need to be above other settings that rely on connect. + autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS) + autoEncryptDNSSAN := []string{} + for _, d := range c.AutoEncrypt.DNSSAN { + autoEncryptDNSSAN = append(autoEncryptDNSSAN, d) + } + autoEncryptIPSAN := []net.IP{} + for _, i := range c.AutoEncrypt.IPSAN { + ip := net.ParseIP(i) + if ip == nil { + b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i)) + continue + } + autoEncryptIPSAN = append(autoEncryptIPSAN, ip) + + } + autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS) + + if autoEncryptAllowTLS { + connectEnabled = true + } + + autoConfig := b.autoConfigVal(c.AutoConfig) + if autoConfig.Enabled { + connectEnabled = true + } + + // Connect proxy defaults connectMeshGatewayWANFederationEnabled := b.boolVal(c.Connect.MeshGatewayWANFederationEnabled) if connectMeshGatewayWANFederationEnabled && !connectEnabled { return RuntimeConfig{}, fmt.Errorf("'connect.enable_mesh_gateway_wan_federation=true' requires 'connect.enabled=true'") @@ -668,27 +698,6 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { }) } - autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS) - autoEncryptDNSSAN := []string{} - for _, d := range c.AutoEncrypt.DNSSAN { - autoEncryptDNSSAN = append(autoEncryptDNSSAN, d) - } - autoEncryptIPSAN := []net.IP{} - for _, i := range c.AutoEncrypt.IPSAN { - ip := net.ParseIP(i) - if ip == nil { - b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i)) - continue - } - autoEncryptIPSAN = append(autoEncryptIPSAN, ip) - - } - autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS) - - if autoEncryptAllowTLS { - connectEnabled = true - } - aclsEnabled := false primaryDatacenter := strings.ToLower(b.stringVal(c.PrimaryDatacenter)) if c.ACLDatacenter != nil { @@ -908,7 +917,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { AutoEncryptDNSSAN: autoEncryptDNSSAN, AutoEncryptIPSAN: autoEncryptIPSAN, AutoEncryptAllowTLS: autoEncryptAllowTLS, - AutoConfig: b.autoConfigVal(c.AutoConfig), + AutoConfig: autoConfig, ConnectEnabled: connectEnabled, ConnectCAProvider: connectCAProvider, ConnectCAConfig: connectCAConfig, diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index f1ffe9a2bc..a8ee65e665 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -3986,6 +3986,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) { "Both an intro token and intro token file are set. The intro token will be used instead of the file", }, patch: func(rt *RuntimeConfig) { + rt.ConnectEnabled = true rt.AutoConfig.Enabled = true rt.AutoConfig.IntroToken = "blah" rt.AutoConfig.IntroTokenFile = "blah" diff --git a/agent/consul/acl_server.go b/agent/consul/acl_server.go index 9dc934cd52..a2f1790f4b 100644 --- a/agent/consul/acl_server.go +++ b/agent/consul/acl_server.go @@ -147,10 +147,10 @@ func (s *Server) LocalTokensEnabled() bool { } if !s.config.ACLTokenReplication || s.tokens.ReplicationToken() == "" { + // token replication is off so local tokens are disabled return false } - // token replication is off so local tokens are disabled return true } diff --git a/website/pages/docs/agent/options.mdx b/website/pages/docs/agent/options.mdx index 605a0e5de1..28fb6ab8cd 100644 --- a/website/pages/docs/agent/options.mdx +++ b/website/pages/docs/agent/options.mdx @@ -930,7 +930,9 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." The initial RPC uses a JWT specified with either `intro_token`, `intro_token_file` or the `CONSUL_INTRO_TOKEN` environment variable to authorize the request. How the JWT token is verified is controlled by the `auto_config.authorizer` - object available for use on Consul servers. + object available for use on Consul servers. Enabling this option also turns + on Connect because it is vital for `auto_config`, more specifically the CA + and certificates infrastructure. - `intro_token` (Defaults to `""`) This specifies the JWT to use for the initial `auto_config` RPC to the Consul servers. This can be overridden with the