From e4349c5710376fe5ea423c9c3a16880e9f3ad135 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Fri, 28 Sep 2018 03:47:37 -0700 Subject: [PATCH] connect/ca: more OSS split for multi-dc --- agent/consul/connect_ca_endpoint.go | 5 ++++- agent/consul/leader.go | 4 ++++ agent/consul/leader_oss.go | 4 ++++ agent/consul/server.go | 9 +++++++++ website/source/docs/agent/options.html.md | 2 +- 5 files changed, 22 insertions(+), 2 deletions(-) diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go index 1a27bd5222..f0bd6cf21a 100644 --- a/agent/consul/connect_ca_endpoint.go +++ b/agent/consul/connect_ca_endpoint.go @@ -120,7 +120,10 @@ func (s *ConnectCA) ConfigurationSet( return err } - if root != nil && root.ID == newActiveRoot.ID { + // If the root didn't change or if this is a secondary DC, just update the + // config and return. + if (s.srv.config.Datacenter != s.srv.config.PrimaryDatacenter) || + root != nil && root.ID == newActiveRoot.ID { args.Op = structs.CAOpSetConfig resp, err := s.srv.raftApply(structs.ConnectCARequestType, args) if err != nil { diff --git a/agent/consul/leader.go b/agent/consul/leader.go index ba13139893..ce3961193c 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -227,6 +227,8 @@ func (s *Server) establishLeadership() error { return err } + s.startEnterpriseLeader() + s.startCARootPruning() s.setConsistentReadReady() @@ -245,6 +247,8 @@ func (s *Server) revokeLeadership() error { return err } + s.stopEnterpriseLeader() + s.stopCARootPruning() s.setCAProvider(nil, nil) diff --git a/agent/consul/leader_oss.go b/agent/consul/leader_oss.go index 3ec519045f..c1f6968692 100644 --- a/agent/consul/leader_oss.go +++ b/agent/consul/leader_oss.go @@ -23,3 +23,7 @@ func (s *Server) initializeCA() error { return s.initializeRootCA(provider, conf) } + +// Stub methods, only present in Consul Enterprise. +func (s *Server) startEnterpriseLeader() {} +func (s *Server) stopEnterpriseLeader() {} diff --git a/agent/consul/server.go b/agent/consul/server.go index fefb11f61a..94bc01e8df 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -274,6 +274,15 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store) (* config.UseTLS = true } + // Set the primary DC if it wasn't set. + if config.PrimaryDatacenter == "" { + if config.ACLDatacenter != "" { + config.PrimaryDatacenter = config.ACLDatacenter + } else { + config.PrimaryDatacenter = config.Datacenter + } + } + // Create the TLS wrapper for outgoing connections. tlsConf := config.tlsConfig() tlsWrap, err := tlsConf.OutgoingTLSWrapper() diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index d28b94619a..afa51d85ac 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -498,7 +498,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass #### Configuration Key Reference * `acl_datacenter` - **This field is - deprecated in Consul 1.3.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** + deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.** This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients, it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement