From b4f8c98fbbd5e69f24fade7ef14450149b050a4f Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Wed, 18 Mar 2015 10:41:00 -0400 Subject: [PATCH 1/2] Read select environment variables when generating the default configuration --- api/api.go | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ api/api_test.go | 45 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+) diff --git a/api/api.go b/api/api.go index 76acad1b65..8fe2ead048 100644 --- a/api/api.go +++ b/api/api.go @@ -2,9 +2,11 @@ package api import ( "bytes" + "crypto/tls" "encoding/json" "fmt" "io" + "log" "net" "net/http" "net/url" @@ -124,6 +126,52 @@ func DefaultConfig() *Config { config.Address = addr } + if token := os.Getenv("CONSUL_HTTP_TOKEN"); token != "" { + config.Token = token + } + + if auth := os.Getenv("CONSUL_HTTP_AUTH"); auth != "" { + var username, password string + if strings.Contains(auth, ":") { + split := strings.SplitN(auth, ":", 2) + username = split[0] + password = split[1] + } else { + username = auth + } + + config.HttpAuth = &HttpBasicAuth{ + Username: username, + Password: password, + } + } + + if ssl := os.Getenv("CONSUL_HTTP_SSL"); ssl != "" { + enabled, err := strconv.ParseBool(ssl) + if err != nil { + log.Printf("[WARN] client: could not parse CONSUL_HTTP_SSL: %s", err) + } + + if enabled { + config.Scheme = "https" + } + } + + if verify := os.Getenv("CONSUL_HTTP_SSL_VERIFY"); verify != "" { + doVerify, err := strconv.ParseBool(verify) + if err != nil { + log.Printf("[WARN] client: could not parse CONSUL_HTTP_SSL_VERIFY: %s", err) + } + + if !doVerify { + config.HttpClient.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + } + } + } + return config } diff --git a/api/api_test.go b/api/api_test.go index dc25f8b5a4..f0de0b6b97 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -190,6 +190,51 @@ func testKey() string { buf[10:16]) } +func TestDefaultConfig_env(t *testing.T) { + addr := "1.2.3.4:5678" + token := "abcd1234" + auth := "username:password" + + os.Setenv("CONSUL_HTTP_ADDR", addr) + defer os.Setenv("CONSUL_HTTP_ADDR", "") + os.Setenv("CONSUL_HTTP_TOKEN", token) + defer os.Setenv("CONSUL_HTTP_TOKEN", "") + os.Setenv("CONSUL_HTTP_AUTH", auth) + defer os.Setenv("CONSUL_HTTP_AUTH", "") + os.Setenv("CONSUL_HTTP_SSL", "1") + defer os.Setenv("CONSUL_HTTP_SSL", "") + os.Setenv("CONSUL_HTTP_SSL_VERIFY", "0") + defer os.Setenv("CONSUL_HTTP_SSL_VERIFY", "") + + config := DefaultConfig() + + if config.Address != addr { + t.Errorf("expected %q to be %q", config.Address, addr) + } + + if config.Token != token { + t.Errorf("expected %q to be %q", config.Token, token) + } + + if config.HttpAuth == nil { + t.Fatalf("expected HttpAuth to be enabled") + } + if config.HttpAuth.Username != "username" { + t.Errorf("expected %q to be %q", config.HttpAuth.Username, "username") + } + if config.HttpAuth.Password != "password" { + t.Errorf("expected %q to be %q", config.HttpAuth.Password, "password") + } + + if config.Scheme != "https" { + t.Errorf("expected %q to be %q", config.Scheme, "https") + } + + if !config.HttpClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify { + t.Errorf("expected SSL verification to be off") + } +} + func TestSetQueryOptions(t *testing.T) { c, s := makeClient(t) defer s.stop() From 81545e9499f8e0a6ad321de1b7d1133b2769153d Mon Sep 17 00:00:00 2001 From: tummychow Date: Wed, 18 Mar 2015 14:22:36 -0700 Subject: [PATCH 2/2] Add doc notes for HTTPS API - the HTTPS API address can be configured just like any other address - the verify_incoming setting also applies to the HTTPS API --- website/source/docs/agent/options.html.markdown | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/website/source/docs/agent/options.html.markdown b/website/source/docs/agent/options.html.markdown index 585d1ffb5a..d9729d4add 100644 --- a/website/source/docs/agent/options.html.markdown +++ b/website/source/docs/agent/options.html.markdown @@ -302,6 +302,7 @@ definitions support being updated during a reload. The following keys are valid: * `dns` - The DNS server. Defaults to `client_addr` * `http` - The HTTP API. Defaults to `client_addr` + * `https` - The HTTPS API. Defaults to `client_addr` * `rpc` - The RPC endpoint. Defaults to `client_addr` * `advertise_addr` Equivalent to @@ -546,7 +547,7 @@ definitions support being updated during a reload. connections make use of TLS and that the client provides a certificate signed by the Certificate Authority from the [`ca_file`](#ca_file). By default, this is false, and Consul will not enforce the use of TLS or verify a client's authenticity. This - only applies to Consul servers since a client never has an incoming connection. + applies to both server RPC and to the HTTPS API. * `verify_outgoing` - If set to true, Consul requires that all outgoing connections