From d316cd06c11ac71e7d8676a2949ec4b680613880 Mon Sep 17 00:00:00 2001
From: Hans Hasselberg <me@hans.io>
Date: Fri, 7 Aug 2020 12:02:02 +0200
Subject: [PATCH] auto_config implies connect (#8433)

---
 agent/config/builder.go              | 55 ++++++++++++++++------------
 agent/config/runtime_test.go         |  1 +
 agent/consul/acl_server.go           |  2 +-
 website/pages/docs/agent/options.mdx |  4 +-
 4 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/agent/config/builder.go b/agent/config/builder.go
index 4eb3afef17..ae5ffd17ba 100644
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@@ -626,10 +626,40 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
 	consulRaftHeartbeatTimeout := b.durationVal("consul.raft.heartbeat_timeout", c.Consul.Raft.HeartbeatTimeout) * time.Duration(performanceRaftMultiplier)
 	consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
 
-	// Connect proxy defaults.
+	// Connect
 	connectEnabled := b.boolVal(c.Connect.Enabled)
 	connectCAProvider := b.stringVal(c.Connect.CAProvider)
 	connectCAConfig := c.Connect.CAConfig
+
+	// autoEncrypt and autoConfig implicitly turns on connect which is why
+	// they need to be above other settings that rely on connect.
+	autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS)
+	autoEncryptDNSSAN := []string{}
+	for _, d := range c.AutoEncrypt.DNSSAN {
+		autoEncryptDNSSAN = append(autoEncryptDNSSAN, d)
+	}
+	autoEncryptIPSAN := []net.IP{}
+	for _, i := range c.AutoEncrypt.IPSAN {
+		ip := net.ParseIP(i)
+		if ip == nil {
+			b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i))
+			continue
+		}
+		autoEncryptIPSAN = append(autoEncryptIPSAN, ip)
+
+	}
+	autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS)
+
+	if autoEncryptAllowTLS {
+		connectEnabled = true
+	}
+
+	autoConfig := b.autoConfigVal(c.AutoConfig)
+	if autoConfig.Enabled {
+		connectEnabled = true
+	}
+
+	// Connect proxy defaults
 	connectMeshGatewayWANFederationEnabled := b.boolVal(c.Connect.MeshGatewayWANFederationEnabled)
 	if connectMeshGatewayWANFederationEnabled && !connectEnabled {
 		return RuntimeConfig{}, fmt.Errorf("'connect.enable_mesh_gateway_wan_federation=true' requires 'connect.enabled=true'")
@@ -668,27 +698,6 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
 		})
 	}
 
-	autoEncryptTLS := b.boolVal(c.AutoEncrypt.TLS)
-	autoEncryptDNSSAN := []string{}
-	for _, d := range c.AutoEncrypt.DNSSAN {
-		autoEncryptDNSSAN = append(autoEncryptDNSSAN, d)
-	}
-	autoEncryptIPSAN := []net.IP{}
-	for _, i := range c.AutoEncrypt.IPSAN {
-		ip := net.ParseIP(i)
-		if ip == nil {
-			b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i))
-			continue
-		}
-		autoEncryptIPSAN = append(autoEncryptIPSAN, ip)
-
-	}
-	autoEncryptAllowTLS := b.boolVal(c.AutoEncrypt.AllowTLS)
-
-	if autoEncryptAllowTLS {
-		connectEnabled = true
-	}
-
 	aclsEnabled := false
 	primaryDatacenter := strings.ToLower(b.stringVal(c.PrimaryDatacenter))
 	if c.ACLDatacenter != nil {
@@ -908,7 +917,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
 		AutoEncryptDNSSAN:                      autoEncryptDNSSAN,
 		AutoEncryptIPSAN:                       autoEncryptIPSAN,
 		AutoEncryptAllowTLS:                    autoEncryptAllowTLS,
-		AutoConfig:                             b.autoConfigVal(c.AutoConfig),
+		AutoConfig:                             autoConfig,
 		ConnectEnabled:                         connectEnabled,
 		ConnectCAProvider:                      connectCAProvider,
 		ConnectCAConfig:                        connectCAConfig,
diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go
index f1ffe9a2bc..a8ee65e665 100644
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@@ -3986,6 +3986,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
 				"Both an intro token and intro token file are set. The intro token will be used instead of the file",
 			},
 			patch: func(rt *RuntimeConfig) {
+				rt.ConnectEnabled = true
 				rt.AutoConfig.Enabled = true
 				rt.AutoConfig.IntroToken = "blah"
 				rt.AutoConfig.IntroTokenFile = "blah"
diff --git a/agent/consul/acl_server.go b/agent/consul/acl_server.go
index 9dc934cd52..a2f1790f4b 100644
--- a/agent/consul/acl_server.go
+++ b/agent/consul/acl_server.go
@@ -147,10 +147,10 @@ func (s *Server) LocalTokensEnabled() bool {
 	}
 
 	if !s.config.ACLTokenReplication || s.tokens.ReplicationToken() == "" {
+		// token replication is off so local tokens are disabled
 		return false
 	}
 
-	// token replication is off so local tokens are disabled
 	return true
 }
 
diff --git a/website/pages/docs/agent/options.mdx b/website/pages/docs/agent/options.mdx
index 605a0e5de1..28fb6ab8cd 100644
--- a/website/pages/docs/agent/options.mdx
+++ b/website/pages/docs/agent/options.mdx
@@ -930,7 +930,9 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
     The initial RPC uses a JWT specified with either `intro_token`,
     `intro_token_file` or the `CONSUL_INTRO_TOKEN` environment variable to authorize
     the request. How the JWT token is verified is controlled by the `auto_config.authorizer`
-    object available for use on Consul servers.
+    object available for use on Consul servers. Enabling this option also turns
+    on Connect because it is vital for `auto_config`, more specifically the CA
+    and certificates infrastructure.
     
   - `intro_token` (Defaults to `""`) This specifies the JWT to use for the initial 
     `auto_config` RPC to the Consul servers. This can be overridden with the