mirror of
https://github.com/status-im/consul.git
synced 2025-01-09 13:26:07 +00:00
5fb9df1640
* Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
329 lines
11 KiB
Go
329 lines
11 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package config
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/hashicorp/consul/agent/consul"
|
|
"github.com/hashicorp/consul/types"
|
|
)
|
|
|
|
type DeprecatedConfig struct {
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
|
|
ACLAgentMasterToken *string `mapstructure:"acl_agent_master_token"`
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
|
|
ACLAgentToken *string `mapstructure:"acl_agent_token"`
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
|
|
ACLToken *string `mapstructure:"acl_token"`
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.enable_key_list_policy"
|
|
ACLEnableKeyListPolicy *bool `mapstructure:"acl_enable_key_list_policy"`
|
|
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza
|
|
ACLMasterToken *string `mapstructure:"acl_master_token"`
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
|
|
ACLReplicationToken *string `mapstructure:"acl_replication_token"`
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.enable_token_replication"
|
|
EnableACLReplication *bool `mapstructure:"enable_acl_replication"`
|
|
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "primary_datacenter"
|
|
ACLDatacenter *string `mapstructure:"acl_datacenter"`
|
|
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.default_policy"
|
|
ACLDefaultPolicy *string `mapstructure:"acl_default_policy"`
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.down_policy"
|
|
ACLDownPolicy *string `mapstructure:"acl_down_policy"`
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.token_ttl"
|
|
ACLTTL *string `mapstructure:"acl_ttl"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.ca_file"
|
|
CAFile *string `mapstructure:"ca_file"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.ca_path"
|
|
CAPath *string `mapstructure:"ca_path"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.cert_file"
|
|
CertFile *string `mapstructure:"cert_file"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.key_file"
|
|
KeyFile *string `mapstructure:"key_file"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.tls_cipher_suites"
|
|
TLSCipherSuites *string `mapstructure:"tls_cipher_suites"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.tls_min_version"
|
|
TLSMinVersion *string `mapstructure:"tls_min_version"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.verify_incoming"
|
|
VerifyIncoming *bool `mapstructure:"verify_incoming"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.https.verify_incoming"
|
|
VerifyIncomingHTTPS *bool `mapstructure:"verify_incoming_https"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.internal_rpc.verify_incoming"
|
|
VerifyIncomingRPC *bool `mapstructure:"verify_incoming_rpc"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.verify_outgoing"
|
|
VerifyOutgoing *bool `mapstructure:"verify_outgoing"`
|
|
|
|
// DEPRECATED(TLS) - moved to "tls.internal_rpc.verify_server_hostname"
|
|
VerifyServerHostname *bool `mapstructure:"verify_server_hostname"`
|
|
|
|
// DEPRECATED(TLS) - this isn't honored by crypto/tls anymore.
|
|
TLSPreferServerCipherSuites *bool `mapstructure:"tls_prefer_server_cipher_suites"`
|
|
|
|
// DEPRECATED(JOIN) - replaced by retry_join
|
|
StartJoinAddrsLAN []string `mapstructure:"start_join"`
|
|
|
|
// DEPRECATED(JOIN) - replaced by retry_join_wan
|
|
StartJoinAddrsWAN []string `mapstructure:"start_join_wan"`
|
|
|
|
// DEPRECATED see RaftLogStore
|
|
RaftBoltDBConfig *consul.RaftBoltDBConfig `mapstructure:"raft_boltdb" json:"-"`
|
|
}
|
|
|
|
func applyDeprecatedConfig(d *decodeTarget) (Config, []string) {
|
|
dep := d.DeprecatedConfig
|
|
var warns []string
|
|
|
|
// TODO(boxofrad): The DeprecatedConfig struct only holds fields that were once
|
|
// on the top-level Config struct (not nested fields e.g. ACL.Tokens) maybe we
|
|
// should rethink this a bit?
|
|
if d.Config.ACL.Tokens.AgentMaster != nil {
|
|
if d.Config.ACL.Tokens.AgentRecovery == nil {
|
|
d.Config.ACL.Tokens.AgentRecovery = d.Config.ACL.Tokens.AgentMaster
|
|
}
|
|
warns = append(warns, deprecationWarning("acl.tokens.agent_master", "acl.tokens.agent_recovery"))
|
|
}
|
|
|
|
if dep.ACLAgentMasterToken != nil {
|
|
if d.Config.ACL.Tokens.AgentRecovery == nil {
|
|
d.Config.ACL.Tokens.AgentRecovery = dep.ACLAgentMasterToken
|
|
}
|
|
warns = append(warns, deprecationWarning("acl_agent_master_token", "acl.tokens.agent_recovery"))
|
|
}
|
|
|
|
if dep.ACLAgentToken != nil {
|
|
if d.Config.ACL.Tokens.Agent == nil {
|
|
d.Config.ACL.Tokens.Agent = dep.ACLAgentToken
|
|
}
|
|
warns = append(warns, deprecationWarning("acl_agent_token", "acl.tokens.agent"))
|
|
}
|
|
|
|
if dep.ACLToken != nil {
|
|
if d.Config.ACL.Tokens.Default == nil {
|
|
d.Config.ACL.Tokens.Default = dep.ACLToken
|
|
}
|
|
warns = append(warns, deprecationWarning("acl_token", "acl.tokens.default"))
|
|
}
|
|
|
|
if d.Config.ACL.Tokens.Master != nil {
|
|
if d.Config.ACL.Tokens.InitialManagement == nil {
|
|
d.Config.ACL.Tokens.InitialManagement = d.Config.ACL.Tokens.Master
|
|
}
|
|
warns = append(warns, deprecationWarning("acl.tokens.master", "acl.tokens.initial_management"))
|
|
}
|
|
|
|
if dep.ACLMasterToken != nil {
|
|
if d.Config.ACL.Tokens.InitialManagement == nil {
|
|
d.Config.ACL.Tokens.InitialManagement = dep.ACLMasterToken
|
|
}
|
|
warns = append(warns, deprecationWarning("acl_master_token", "acl.tokens.initial_management"))
|
|
}
|
|
|
|
if dep.ACLReplicationToken != nil {
|
|
if d.Config.ACL.Tokens.Replication == nil {
|
|
d.Config.ACL.Tokens.Replication = dep.ACLReplicationToken
|
|
}
|
|
d.Config.ACL.TokenReplication = pBool(true)
|
|
warns = append(warns, deprecationWarning("acl_replication_token", "acl.tokens.replication"))
|
|
}
|
|
|
|
if dep.EnableACLReplication != nil {
|
|
if d.Config.ACL.TokenReplication == nil {
|
|
d.Config.ACL.TokenReplication = dep.EnableACLReplication
|
|
}
|
|
warns = append(warns, deprecationWarning("enable_acl_replication", "acl.enable_token_replication"))
|
|
}
|
|
|
|
if dep.ACLDatacenter != nil {
|
|
if d.Config.PrimaryDatacenter == nil {
|
|
d.Config.PrimaryDatacenter = dep.ACLDatacenter
|
|
}
|
|
|
|
// when the acl_datacenter config is used it implicitly enables acls
|
|
d.Config.ACL.Enabled = pBool(true)
|
|
warns = append(warns, deprecationWarning("acl_datacenter", "primary_datacenter"))
|
|
}
|
|
|
|
if dep.ACLDefaultPolicy != nil {
|
|
if d.Config.ACL.DefaultPolicy == nil {
|
|
d.Config.ACL.DefaultPolicy = dep.ACLDefaultPolicy
|
|
}
|
|
warns = append(warns, deprecationWarning("acl_default_policy", "acl.default_policy"))
|
|
}
|
|
|
|
if dep.ACLDownPolicy != nil {
|
|
if d.Config.ACL.DownPolicy == nil {
|
|
d.Config.ACL.DownPolicy = dep.ACLDownPolicy
|
|
}
|
|
warns = append(warns, deprecationWarning("acl_down_policy", "acl.down_policy"))
|
|
}
|
|
|
|
if dep.ACLTTL != nil {
|
|
if d.Config.ACL.TokenTTL == nil {
|
|
d.Config.ACL.TokenTTL = dep.ACLTTL
|
|
}
|
|
warns = append(warns, deprecationWarning("acl_ttl", "acl.token_ttl"))
|
|
}
|
|
|
|
if dep.ACLEnableKeyListPolicy != nil {
|
|
if d.Config.ACL.EnableKeyListPolicy == nil {
|
|
d.Config.ACL.EnableKeyListPolicy = dep.ACLEnableKeyListPolicy
|
|
}
|
|
warns = append(warns, deprecationWarning("acl_enable_key_list_policy", "acl.enable_key_list_policy"))
|
|
}
|
|
|
|
if len(dep.StartJoinAddrsLAN) > 0 {
|
|
d.Config.RetryJoinLAN = append(d.Config.RetryJoinLAN, dep.StartJoinAddrsLAN...)
|
|
warns = append(warns, deprecationWarning("start_join", "retry_join"))
|
|
}
|
|
|
|
if len(dep.StartJoinAddrsWAN) > 0 {
|
|
d.Config.RetryJoinWAN = append(d.Config.RetryJoinWAN, dep.StartJoinAddrsWAN...)
|
|
warns = append(warns, deprecationWarning("start_join_wan", "retry_join_wan"))
|
|
}
|
|
|
|
if dep.RaftBoltDBConfig != nil {
|
|
if d.Config.RaftLogStore.BoltDBConfig.NoFreelistSync == nil {
|
|
d.Config.RaftLogStore.BoltDBConfig.NoFreelistSync = &dep.RaftBoltDBConfig.NoFreelistSync
|
|
}
|
|
warns = append(warns, deprecationWarning("raft_boltdb", "raft_logstore.boltdb"))
|
|
}
|
|
|
|
warns = append(warns, applyDeprecatedTLSConfig(dep, &d.Config)...)
|
|
|
|
return d.Config, warns
|
|
}
|
|
|
|
func applyDeprecatedTLSConfig(dep DeprecatedConfig, cfg *Config) []string {
|
|
var warns []string
|
|
|
|
tls := &cfg.TLS
|
|
defaults := &tls.Defaults
|
|
internalRPC := &tls.InternalRPC
|
|
https := &tls.HTTPS
|
|
grpc := &tls.GRPC
|
|
|
|
if v := dep.CAFile; v != nil {
|
|
if defaults.CAFile == nil {
|
|
defaults.CAFile = v
|
|
}
|
|
warns = append(warns, deprecationWarning("ca_file", "tls.defaults.ca_file"))
|
|
}
|
|
|
|
if v := dep.CAPath; v != nil {
|
|
if defaults.CAPath == nil {
|
|
defaults.CAPath = v
|
|
}
|
|
warns = append(warns, deprecationWarning("ca_path", "tls.defaults.ca_path"))
|
|
}
|
|
|
|
if v := dep.CertFile; v != nil {
|
|
if defaults.CertFile == nil {
|
|
defaults.CertFile = v
|
|
}
|
|
warns = append(warns, deprecationWarning("cert_file", "tls.defaults.cert_file"))
|
|
}
|
|
|
|
if v := dep.KeyFile; v != nil {
|
|
if defaults.KeyFile == nil {
|
|
defaults.KeyFile = v
|
|
}
|
|
warns = append(warns, deprecationWarning("key_file", "tls.defaults.key_file"))
|
|
}
|
|
|
|
if v := dep.TLSCipherSuites; v != nil {
|
|
if defaults.TLSCipherSuites == nil {
|
|
defaults.TLSCipherSuites = v
|
|
}
|
|
warns = append(warns, deprecationWarning("tls_cipher_suites", "tls.defaults.tls_cipher_suites"))
|
|
}
|
|
|
|
if v := dep.TLSMinVersion; v != nil {
|
|
if defaults.TLSMinVersion == nil {
|
|
// NOTE: This inner check for deprecated values should eventually be
|
|
// removed
|
|
if version, ok := types.DeprecatedConsulAgentTLSVersions[*v]; ok {
|
|
// Log warning about deprecated config values
|
|
warns = append(warns, fmt.Sprintf("'tls_min_version' value '%s' is deprecated, please specify '%s' instead", *v, version))
|
|
versionString := version.String()
|
|
defaults.TLSMinVersion = &versionString
|
|
} else {
|
|
defaults.TLSMinVersion = v
|
|
}
|
|
}
|
|
warns = append(warns, deprecationWarning("tls_min_version", "tls.defaults.tls_min_version"))
|
|
}
|
|
|
|
if v := dep.VerifyIncoming; v != nil {
|
|
if defaults.VerifyIncoming == nil {
|
|
defaults.VerifyIncoming = v
|
|
}
|
|
|
|
// Prior to Consul 1.12 it was not possible to enable client certificate
|
|
// verification on the gRPC port. We must override GRPC.VerifyIncoming to
|
|
// prevent it from inheriting Defaults.VerifyIncoming when we've mapped the
|
|
// deprecated top-level verify_incoming field.
|
|
if grpc.VerifyIncoming == nil {
|
|
grpc.VerifyIncoming = pBool(false)
|
|
tls.GRPCModifiedByDeprecatedConfig = &struct{}{}
|
|
}
|
|
|
|
warns = append(warns, deprecationWarning("verify_incoming", "tls.defaults.verify_incoming"))
|
|
}
|
|
|
|
if v := dep.VerifyIncomingHTTPS; v != nil {
|
|
if https.VerifyIncoming == nil {
|
|
https.VerifyIncoming = v
|
|
}
|
|
warns = append(warns, deprecationWarning("verify_incoming_https", "tls.https.verify_incoming"))
|
|
}
|
|
|
|
if v := dep.VerifyIncomingRPC; v != nil {
|
|
if internalRPC.VerifyIncoming == nil {
|
|
internalRPC.VerifyIncoming = v
|
|
}
|
|
warns = append(warns, deprecationWarning("verify_incoming_rpc", "tls.internal_rpc.verify_incoming"))
|
|
}
|
|
|
|
if v := dep.VerifyOutgoing; v != nil {
|
|
if defaults.VerifyOutgoing == nil {
|
|
defaults.VerifyOutgoing = v
|
|
}
|
|
warns = append(warns, deprecationWarning("verify_outgoing", "tls.defaults.verify_outgoing"))
|
|
}
|
|
|
|
if v := dep.VerifyServerHostname; v != nil {
|
|
if internalRPC.VerifyServerHostname == nil {
|
|
internalRPC.VerifyServerHostname = v
|
|
}
|
|
warns = append(warns, deprecationWarning("verify_server_hostname", "tls.internal_rpc.verify_server_hostname"))
|
|
}
|
|
|
|
if dep.TLSPreferServerCipherSuites != nil {
|
|
warns = append(warns, "The 'tls_prefer_server_cipher_suites' field is deprecated and will be ignored.")
|
|
}
|
|
|
|
return warns
|
|
}
|
|
|
|
func deprecationWarning(old, new string) string {
|
|
return fmt.Sprintf("The '%v' field is deprecated. Use the '%v' field instead.", old, new)
|
|
}
|
|
|
|
func pBool(v bool) *bool {
|
|
return &v
|
|
}
|