This only affects vault versions >=1.1.1 because the prior code accidentally relied upon a bug that was fixed in https://github.com/hashicorp/vault/pull/6505 The existing tests should have caught this, but they were using a vendored copy of vault version 0.10.3. This fixes the tests by running an actual copy of vault instead of an in-process copy. This has the added benefit of changing the dependency on vault to just vault/api. Also update VaultProvider to use similar SetIntermediate validation code as the ConsulProvider implementation.
go-sockaddr
sockaddr
Library
Socket address convenience functions for Go. go-sockaddr
is a convenience
library that makes doing the right thing with IP addresses easy. go-sockaddr
is loosely modeled after the UNIX sockaddr_t
and creates a union of the family
of sockaddr_t
types (see below for an ascii diagram). Library documentation
is available
at
https://godoc.org/github.com/hashicorp/go-sockaddr.
The primary intent of the library was to make it possible to define heuristics
for selecting the correct IP addresses when a configuration is evaluated at
runtime. See
the
docs,
template
package,
tests,
and
CLI utility
for details and hints as to how to use this library.
For example, with this library it is possible to find an IP address that:
- is attached to a default route
(
GetDefaultInterfaces()
) - is contained within a CIDR block (
IfByNetwork()
) - is an RFC1918 address
(
IfByRFC("1918")
) - is ordered
(
OrderedIfAddrBy(args)
whereargs
includes, but is not limited to,AscIfType
,AscNetworkSize
) - excludes all IPv6 addresses
(
IfByType("^(IPv4)$")
) - is larger than a
/32
(IfByMaskSize(32)
) - is not on a
down
interface (ExcludeIfs("flags", "down")
) - preferences an IPv6 address over an IPv4 address
(
SortIfByType()
+ReverseIfAddrs()
); and - excludes any IP in RFC6890 address
(
IfByRFC("6890")
)
Or any combination or variation therein.
There are also a few simple helper functions such as GetPublicIP
and
GetPrivateIP
which both return strings and select the first public or private
IP address on the default interface, respectively. Similarly, there is also a
helper function called GetInterfaceIP
which returns the first usable IP
address on the named interface.
sockaddr
CLI
Given the possible complexity of the sockaddr
library, there is a CLI utility
that accompanies the library, also
called
sockaddr
.
The
sockaddr
utility exposes nearly all of the functionality of the library and can be used
either as an administrative tool or testing tool. To install
the
sockaddr
,
run:
$ go get -u github.com/hashicorp/go-sockaddr/cmd/sockaddr
If you're familiar with UNIX's sockaddr
struct's, the following diagram
mapping the C sockaddr
(top) to go-sockaddr
structs (bottom) and
interfaces will be helpful:
+-------------------------------------------------------+
| |
| sockaddr |
| SockAddr |
| |
| +--------------+ +----------------------------------+ |
| | sockaddr_un | | | |
| | SockAddrUnix | | sockaddr_in{,6} | |
| +--------------+ | IPAddr | |
| | | |
| | +-------------+ +--------------+ | |
| | | sockaddr_in | | sockaddr_in6 | | |
| | | IPv4Addr | | IPv6Addr | | |
| | +-------------+ +--------------+ | |
| | | |
| +----------------------------------+ |
| |
+-------------------------------------------------------+
Inspiration and Design
There were many subtle inspirations that led to this design, but the most direct
inspiration for the filtering syntax was
OpenBSD's
pf.conf(5)
firewall
syntax that lets you select the first IP address on a given named interface.
The original problem stemmed from:
- needing to create immutable images using Packer that ran the Consul process (Consul can only use one IP address at a time);
- images that may or may not have multiple interfaces or IP addresses at runtime; and
- we didn't want to rely on configuration management to render out the correct IP address if the VM image was being used in an auto-scaling group.
Instead we needed some way to codify a heuristic that would correctly select the right IP address but the input parameters were not known when the image was created.