2018-06-14 09:42:21 -07:00

288 lines
7.9 KiB
Go

package proxy
import (
"flag"
"fmt"
"io"
"log"
"net"
"net/http"
_ "net/http/pprof" // Expose pprof if configured
"os"
"sort"
"strconv"
proxyAgent "github.com/hashicorp/consul/agent/proxy"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/command/flags"
proxyImpl "github.com/hashicorp/consul/connect/proxy"
"github.com/hashicorp/consul/logger"
"github.com/hashicorp/logutils"
"github.com/mitchellh/cli"
)
func New(ui cli.Ui, shutdownCh <-chan struct{}) *cmd {
c := &cmd{UI: ui, shutdownCh: shutdownCh}
c.init()
return c
}
type cmd struct {
UI cli.Ui
flags *flag.FlagSet
http *flags.HTTPFlags
help string
shutdownCh <-chan struct{}
logFilter *logutils.LevelFilter
logOutput io.Writer
logger *log.Logger
// flags
logLevel string
cfgFile string
proxyID string
pprofAddr string
service string
serviceAddr string
upstreams map[string]proxyImpl.UpstreamConfig
listen string
// test flags
testNoStart bool // don't start the proxy, just exit 0
}
func (c *cmd) init() {
c.flags = flag.NewFlagSet("", flag.ContinueOnError)
c.flags.StringVar(&c.cfgFile, "dev-config", "",
"If set, proxy config is read on startup from this file (in HCL or JSON"+
"format). If a config file is given, the proxy will use that instead of "+
"querying the local agent for it's configuration. It will not reload it "+
"except on startup. In this mode the proxy WILL NOT authorize incoming "+
"connections with the local agent which is totally insecure. This is "+
"ONLY for internal development and testing and will probably be removed "+
"once proxy implementation is more complete..")
c.flags.StringVar(&c.proxyID, "proxy-id", "",
"The proxy's ID on the local agent.")
c.flags.StringVar(&c.logLevel, "log-level", "INFO",
"Specifies the log level.")
c.flags.StringVar(&c.pprofAddr, "pprof-addr", "",
"Enable debugging via pprof. Providing a host:port (or just ':port') "+
"enables profiling HTTP endpoints on that address.")
c.flags.StringVar(&c.service, "service", "",
"Name of the service this proxy is representing.")
c.flags.Var((*FlagUpstreams)(&c.upstreams), "upstream",
"Upstream service to support connecting to. The format should be "+
"'name:addr', such as 'db:8181'. This will make 'db' available "+
"on port 8181. This can be repeated multiple times.")
c.flags.StringVar(&c.serviceAddr, "service-addr", "",
"Address of the local service to proxy. Only useful if -listen "+
"and -service are both set.")
c.flags.StringVar(&c.listen, "listen", "",
"Address to listen for inbound connections to the proxied service. "+
"Must be specified with -service and -service-addr.")
c.http = &flags.HTTPFlags{}
flags.Merge(c.flags, c.http.ClientFlags())
flags.Merge(c.flags, c.http.ServerFlags())
c.help = flags.Usage(help, c.flags)
}
func (c *cmd) Run(args []string) int {
if err := c.flags.Parse(args); err != nil {
return 1
}
if len(c.flags.Args()) > 0 {
c.UI.Error(fmt.Sprintf("Should have no non-flag arguments."))
return 1
}
// Load the proxy ID and token from env vars if they're set
if c.proxyID == "" {
c.proxyID = os.Getenv(proxyAgent.EnvProxyId)
}
if c.http.Token() == "" {
c.http.SetToken(os.Getenv(proxyAgent.EnvProxyToken))
}
// Setup the log outputs
logConfig := &logger.Config{
LogLevel: c.logLevel,
}
logFilter, logGate, _, logOutput, ok := logger.Setup(logConfig, c.UI)
if !ok {
return 1
}
c.logFilter = logFilter
c.logOutput = logOutput
c.logger = log.New(logOutput, "", log.LstdFlags)
// Enable Pprof if needed
if c.pprofAddr != "" {
go func() {
c.UI.Output(fmt.Sprintf("Starting pprof HTTP endpoints on "+
"http://%s/debug/pprof", c.pprofAddr))
log.Fatal(http.ListenAndServe(c.pprofAddr, nil))
}()
}
// Setup Consul client
client, err := c.http.APIClient()
if err != nil {
c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
return 1
}
// Get the proper configuration watcher
cfgWatcher, err := c.configWatcher(client)
if err != nil {
c.UI.Error(fmt.Sprintf("Error preparing configuration: %s", err))
return 1
}
p, err := proxyImpl.New(client, cfgWatcher, c.logger)
if err != nil {
c.UI.Error(fmt.Sprintf("Failed initializing proxy: %s", err))
return 1
}
// Hook the shutdownCh up to close the proxy
go func() {
<-c.shutdownCh
p.Close()
}()
c.UI.Output("Consul Connect proxy starting")
c.UI.Output("Log data will now stream in as it occurs:\n")
logGate.Flush()
// Run the proxy unless our tests require we don't
if !c.testNoStart {
if err := p.Serve(); err != nil {
c.UI.Error(fmt.Sprintf("Failed running proxy: %s", err))
}
}
c.UI.Output("Consul Connect proxy shutdown")
return 0
}
func (c *cmd) configWatcher(client *api.Client) (proxyImpl.ConfigWatcher, error) {
// Manual configuration file is specified.
if c.cfgFile != "" {
cfg, err := proxyImpl.ParseConfigFile(c.cfgFile)
if err != nil {
return nil, err
}
return proxyImpl.NewStaticConfigWatcher(cfg), nil
}
// Use the configured proxy ID
if c.proxyID != "" {
return proxyImpl.NewAgentConfigWatcher(client, c.proxyID, c.logger)
}
// Otherwise, we're representing a manually specified service.
if c.service == "" {
return nil, fmt.Errorf(
"-service or -proxy-id must be specified so that proxy can " +
"configure itself.")
}
// Convert our upstreams to a slice of configurations. We do this
// deterministically by alphabetizing the upstream keys. We do this so
// that tests can compare the upstream values.
upstreamKeys := make([]string, 0, len(c.upstreams))
for k := range c.upstreams {
upstreamKeys = append(upstreamKeys, k)
}
sort.Strings(upstreamKeys)
upstreams := make([]proxyImpl.UpstreamConfig, 0, len(c.upstreams))
for _, k := range upstreamKeys {
upstreams = append(upstreams, c.upstreams[k])
}
// Parse out our listener if we have one
var listener proxyImpl.PublicListenerConfig
if c.listen != "" {
host, portRaw, err := net.SplitHostPort(c.listen)
if err != nil {
return nil, err
}
port, err := strconv.ParseInt(portRaw, 0, 0)
if err != nil {
return nil, err
}
if c.serviceAddr == "" {
return nil, fmt.Errorf(
"-service-addr must be specified with -listen so the proxy " +
"knows the backend service address.")
}
listener.BindAddress = host
listener.BindPort = int(port)
listener.LocalServiceAddress = c.serviceAddr
}
return proxyImpl.NewStaticConfigWatcher(&proxyImpl.Config{
ProxiedServiceName: c.service,
PublicListener: listener,
Upstreams: upstreams,
}), nil
}
func (c *cmd) Synopsis() string {
return synopsis
}
func (c *cmd) Help() string {
return c.help
}
const synopsis = "Runs a Consul Connect proxy"
const help = `
Usage: consul connect proxy [options]
Starts a Consul Connect proxy and runs until an interrupt is received.
The proxy can be used to accept inbound connections for a service,
wrap outbound connections to upstream services, or both. This enables
a non-Connect-aware application to use Connect.
The proxy requires service:write permissions for the service it represents.
Consul can automatically start and manage this proxy by specifying the
"proxy" configuration within your service definition.
The example below shows how to start a local proxy for establishing outbound
connections to "db" representing the frontend service. Once running, any
process that creates a TCP connection to the specified port (8181) will
establish a mutual TLS connection to "db" identified as "frontend".
$ consul connect proxy -service frontend -upstream db:8181
The next example starts a local proxy that also accepts inbound connections
on port 8443, authorizes the connection, then proxies it to port 8080:
$ consul connect proxy \
-service frontend \
-service-addr 127.0.0.1:8080 \
-listen ':8443'
A proxy can accept both inbound connections as well as proxy to upstream
services by specifying both the "-listen" and "-upstream" flags.
`