connect/ca: more OSS split for multi-dc

This commit is contained in:
Kyle Havlovitz 2018-09-28 03:47:37 -07:00
parent 0da4f2b2e8
commit e4349c5710
5 changed files with 22 additions and 2 deletions

View File

@ -120,7 +120,10 @@ func (s *ConnectCA) ConfigurationSet(
return err
}
if root != nil && root.ID == newActiveRoot.ID {
// If the root didn't change or if this is a secondary DC, just update the
// config and return.
if (s.srv.config.Datacenter != s.srv.config.PrimaryDatacenter) ||
root != nil && root.ID == newActiveRoot.ID {
args.Op = structs.CAOpSetConfig
resp, err := s.srv.raftApply(structs.ConnectCARequestType, args)
if err != nil {

View File

@ -227,6 +227,8 @@ func (s *Server) establishLeadership() error {
return err
}
s.startEnterpriseLeader()
s.startCARootPruning()
s.setConsistentReadReady()
@ -245,6 +247,8 @@ func (s *Server) revokeLeadership() error {
return err
}
s.stopEnterpriseLeader()
s.stopCARootPruning()
s.setCAProvider(nil, nil)

View File

@ -23,3 +23,7 @@ func (s *Server) initializeCA() error {
return s.initializeRootCA(provider, conf)
}
// Stub methods, only present in Consul Enterprise.
func (s *Server) startEnterpriseLeader() {}
func (s *Server) stopEnterpriseLeader() {}

View File

@ -274,6 +274,15 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store) (*
config.UseTLS = true
}
// Set the primary DC if it wasn't set.
if config.PrimaryDatacenter == "" {
if config.ACLDatacenter != "" {
config.PrimaryDatacenter = config.ACLDatacenter
} else {
config.PrimaryDatacenter = config.Datacenter
}
}
// Create the TLS wrapper for outgoing connections.
tlsConf := config.tlsConfig()
tlsWrap, err := tlsConf.OutgoingTLSWrapper()

View File

@ -498,7 +498,7 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
#### Configuration Key Reference
* <a name="acl_datacenter"></a><a href="#acl_datacenter">`acl_datacenter`</a> - **This field is
deprecated in Consul 1.3.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**
deprecated in Consul 1.4.0. See the [`primary_datacenter`](#primary_datacenter) field instead.**
This designates the datacenter which is authoritative for ACL information. It must be provided to enable ACLs. All servers and datacenters must agree on the ACL datacenter. Setting it on the servers is all you need for cluster-level enforcement, but for the APIs to forward properly from the clients,
it must be set on them too. In Consul 0.8 and later, this also enables agent-level enforcement