mirror of
https://github.com/status-im/consul.git
synced 2025-01-23 03:59:18 +00:00
e02ef16f02
* Persist HCP management token from server config We want to move away from injecting an initial management token into Consul clusters linked to HCP. The reasoning is that by using a separate class of token we can have more flexibility in terms of allowing HCP's token to co-exist with the user's management token. Down the line we can also more easily adjust the permissions attached to HCP's token to limit it's scope. With these changes, the cloud management token is like the initial management token in that iit has the same global management policy and if it is created it effectively bootstraps the ACL system. * Update SDK and mock HCP server The HCP management token will now be sent in a special field rather than as Consul's "initial management" token configuration. This commit also updates the mock HCP server to more accurately reflect the behavior of the CCM backend. * Refactor HCP bootstrapping logic and add tests We want to allow users to link Consul clusters that already exist to HCP. Existing clusters need care when bootstrapped by HCP, since we do not want to do things like change ACL/TLS settings for a running cluster. Additional changes: * Deconstruct MaybeBootstrap so that it can be tested. The HCP Go SDK requires HTTPS to fetch a token from the Auth URL, even if the backend server is mocked. By pulling the hcp.Client creation out we can modify its TLS configuration in tests while keeping the secure behavior in production code. * Add light validation for data received/loaded. * Sanitize initial_management token from received config, since HCP will only ever use the CloudConfig.MangementToken. * Add changelog entry
2760 lines
98 KiB
Go
2760 lines
98 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package config
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"path/filepath"
|
|
"reflect"
|
|
"regexp"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/armon/go-metrics/prometheus"
|
|
"github.com/hashicorp/go-bexpr"
|
|
"github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/go-multierror"
|
|
"github.com/hashicorp/go-sockaddr/template"
|
|
"github.com/hashicorp/memberlist"
|
|
"golang.org/x/time/rate"
|
|
|
|
hcpconfig "github.com/hashicorp/consul/agent/hcp/config"
|
|
|
|
"github.com/hashicorp/consul/agent/cache"
|
|
"github.com/hashicorp/consul/agent/checks"
|
|
"github.com/hashicorp/consul/agent/connect/ca"
|
|
"github.com/hashicorp/consul/agent/consul"
|
|
"github.com/hashicorp/consul/agent/consul/authmethod/ssoauth"
|
|
consulrate "github.com/hashicorp/consul/agent/consul/rate"
|
|
"github.com/hashicorp/consul/agent/dns"
|
|
"github.com/hashicorp/consul/agent/rpc/middleware"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
"github.com/hashicorp/consul/agent/token"
|
|
"github.com/hashicorp/consul/ipaddr"
|
|
"github.com/hashicorp/consul/lib"
|
|
"github.com/hashicorp/consul/lib/stringslice"
|
|
libtempl "github.com/hashicorp/consul/lib/template"
|
|
"github.com/hashicorp/consul/logging"
|
|
"github.com/hashicorp/consul/tlsutil"
|
|
"github.com/hashicorp/consul/types"
|
|
)
|
|
|
|
type FlagValuesTarget = decodeTarget
|
|
|
|
// LoadOpts used by Load to construct and validate a RuntimeConfig.
|
|
type LoadOpts struct {
|
|
// FlagValues contains the command line arguments that can also be set
|
|
// in a config file.
|
|
FlagValues FlagValuesTarget
|
|
|
|
// ConfigFiles is a slice of paths to config files and directories that will
|
|
// be loaded.
|
|
//
|
|
// It is an error for any config files to have an extension other than `hcl`
|
|
// or `json`, unless ConfigFormat is also set. However, non-HCL/JSON files in
|
|
// a config directory are merely skipped, with a warning.
|
|
ConfigFiles []string
|
|
|
|
// ConfigFormat forces all config files to be interpreted as this format
|
|
// independent of their extension. Value may be `hcl` or `json`.
|
|
ConfigFormat string
|
|
|
|
// DevMode indicates whether the agent should be started in development
|
|
// mode. This cannot be configured in a config file.
|
|
DevMode *bool
|
|
|
|
// HCL is a slice of config data in hcl format. Each one will be loaded as
|
|
// if it were the source of a config file. Values from HCL will override
|
|
// values from ConfigFiles and FlagValues.
|
|
HCL []string
|
|
|
|
// DefaultConfig is an optional source that is applied after other defaults
|
|
// but before ConfigFiles and all other user specified config.
|
|
DefaultConfig Source
|
|
|
|
// Overrides are optional config sources that are applied as the very last
|
|
// config source so they can override any previous values.
|
|
Overrides []Source
|
|
|
|
// hostname is a shim for testing, allowing tests to specify a replacement
|
|
// for os.Hostname.
|
|
hostname func() (string, error)
|
|
|
|
// getPrivateIPv4 and getPublicIPv6 are shims for testing, allowing tests to
|
|
// specify a replacement for ipaddr.GetPrivateIPv4 and ipaddr.GetPublicIPv6.
|
|
getPrivateIPv4 func() ([]*net.IPAddr, error)
|
|
getPublicIPv6 func() ([]*net.IPAddr, error)
|
|
|
|
// sources is a shim for testing. Many test cases used explicit sources instead
|
|
// paths to config files. This shim allows us to preserve those test cases
|
|
// while using Load as the entrypoint.
|
|
sources []Source
|
|
}
|
|
|
|
// Load will build the configuration including the config source injected
|
|
// after all other defaults but before any user supplied configuration and the overrides
|
|
// source injected as the final source in the configuration parsing chain.
|
|
//
|
|
// The caller is responsible for handling any warnings in LoadResult.Warnings.
|
|
func Load(opts LoadOpts) (LoadResult, error) {
|
|
r := LoadResult{}
|
|
b, err := newBuilder(opts)
|
|
if err != nil {
|
|
return r, err
|
|
}
|
|
cfg, err := b.build()
|
|
if err != nil {
|
|
return r, err
|
|
}
|
|
if err := b.validate(cfg); err != nil {
|
|
return r, err
|
|
}
|
|
watcherFiles := stringslice.CloneStringSlice(opts.ConfigFiles)
|
|
return LoadResult{RuntimeConfig: &cfg, Warnings: b.Warnings, WatchedFiles: watcherFiles}, nil
|
|
}
|
|
|
|
// LoadResult is the result returned from Load. The caller is responsible for
|
|
// handling any warnings.
|
|
type LoadResult struct {
|
|
RuntimeConfig *RuntimeConfig
|
|
Warnings []string
|
|
WatchedFiles []string
|
|
}
|
|
|
|
// builder constructs and validates a runtime configuration from multiple
|
|
// configuration sources.
|
|
//
|
|
// The sources are merged in the following order:
|
|
//
|
|
// - default configuration
|
|
// - config files in alphabetical order
|
|
// - command line arguments
|
|
// - overrides
|
|
//
|
|
// The config sources are merged sequentially and later values overwrite
|
|
// previously set values. Slice values are merged by concatenating the two slices.
|
|
// Map values are merged by over-laying the later maps on top of earlier ones.
|
|
type builder struct {
|
|
opts LoadOpts
|
|
|
|
// Head, Sources, and Tail are used to manage the order of the
|
|
// config sources, as described in the comments above.
|
|
Head []Source
|
|
Sources []Source
|
|
Tail []Source
|
|
|
|
// Warnings contains the warnings encountered when
|
|
// parsing the configuration.
|
|
Warnings []string
|
|
|
|
// err contains the first error that occurred during
|
|
// building the runtime configuration.
|
|
err error
|
|
}
|
|
|
|
// newBuilder returns a new configuration Builder from the LoadOpts.
|
|
func newBuilder(opts LoadOpts) (*builder, error) {
|
|
configFormat := opts.ConfigFormat
|
|
if configFormat != "" && configFormat != "json" && configFormat != "hcl" {
|
|
return nil, fmt.Errorf("config: -config-format must be either 'hcl' or 'json'")
|
|
}
|
|
|
|
b := &builder{
|
|
opts: opts,
|
|
Head: []Source{DefaultSource(), DefaultEnterpriseSource()},
|
|
}
|
|
|
|
if boolVal(opts.DevMode) {
|
|
b.Head = append(b.Head, DevSource())
|
|
}
|
|
|
|
cfg, warns := applyDeprecatedFlags(&opts.FlagValues)
|
|
b.Warnings = append(b.Warnings, warns...)
|
|
|
|
// Since the merge logic is to overwrite all fields with later
|
|
// values except slices which are merged by appending later values
|
|
// we need to merge all slice values defined in flags before we
|
|
// merge the config files since the flag values for slices are
|
|
// otherwise appended instead of prepended.
|
|
slices, values := splitSlicesAndValues(cfg)
|
|
b.Head = append(b.Head, LiteralSource{Name: "flags.slices", Config: slices})
|
|
if opts.DefaultConfig != nil {
|
|
b.Head = append(b.Head, opts.DefaultConfig)
|
|
}
|
|
|
|
b.Sources = opts.sources
|
|
for _, path := range opts.ConfigFiles {
|
|
sources, err := b.sourcesFromPath(path, opts.ConfigFormat)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
b.Sources = append(b.Sources, sources...)
|
|
}
|
|
b.Tail = append(b.Tail, LiteralSource{Name: "flags.values", Config: values})
|
|
for i, s := range opts.HCL {
|
|
b.Tail = append(b.Tail, FileSource{
|
|
Name: fmt.Sprintf("flags-%d.hcl", i),
|
|
Format: "hcl",
|
|
Data: s,
|
|
})
|
|
}
|
|
b.Tail = append(b.Tail, NonUserSource(), DefaultConsulSource(), OverrideEnterpriseSource(), defaultVersionSource())
|
|
if boolVal(opts.DevMode) {
|
|
b.Tail = append(b.Tail, DevConsulSource())
|
|
}
|
|
if len(opts.Overrides) != 0 {
|
|
b.Tail = append(b.Tail, opts.Overrides...)
|
|
}
|
|
return b, nil
|
|
}
|
|
|
|
// sourcesFromPath reads a single config file or all files in a directory (but
|
|
// not its sub-directories) and returns Sources created from the
|
|
// files.
|
|
func (b *builder) sourcesFromPath(path string, format string) ([]Source, error) {
|
|
f, err := os.Open(path)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("config: Open failed on %s. %s", path, err)
|
|
}
|
|
defer f.Close()
|
|
|
|
fi, err := f.Stat()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("config: Stat failed on %s. %s", path, err)
|
|
}
|
|
|
|
if !fi.IsDir() {
|
|
if !shouldParseFile(path, format) {
|
|
return nil, fmt.Errorf("file %v has unknown extension; must be .hcl or .json, or config format must be set", path)
|
|
}
|
|
|
|
src, err := newSourceFromFile(path, format)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return []Source{src}, nil
|
|
}
|
|
|
|
fis, err := f.Readdir(-1)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("config: Readdir failed on %s. %s", path, err)
|
|
}
|
|
|
|
// sort files by name
|
|
sort.Sort(byName(fis))
|
|
|
|
var sources []Source
|
|
for _, fi := range fis {
|
|
fp := filepath.Join(path, fi.Name())
|
|
// check for a symlink and resolve the path
|
|
if fi.Mode()&os.ModeSymlink > 0 {
|
|
var err error
|
|
fp, err = filepath.EvalSymlinks(fp)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
fi, err = os.Stat(fp)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
// do not recurse into sub dirs
|
|
if fi.IsDir() {
|
|
continue
|
|
}
|
|
|
|
if !shouldParseFile(fp, format) {
|
|
b.warn("skipping file %v, extension must be .hcl or .json, or config format must be set", fp)
|
|
continue
|
|
}
|
|
src, err := newSourceFromFile(fp, format)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
sources = append(sources, src)
|
|
}
|
|
return sources, nil
|
|
}
|
|
|
|
// newSourceFromFile creates a Source from the contents of the file at path.
|
|
func newSourceFromFile(path string, format string) (Source, error) {
|
|
data, err := os.ReadFile(path)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("config: failed to read %s: %s", path, err)
|
|
}
|
|
if format == "" {
|
|
format = formatFromFileExtension(path)
|
|
}
|
|
return FileSource{Name: path, Data: string(data), Format: format}, nil
|
|
}
|
|
|
|
// shouldParse file determines whether the file to be read is of a supported extension
|
|
func shouldParseFile(path string, configFormat string) bool {
|
|
srcFormat := formatFromFileExtension(path)
|
|
return configFormat != "" || srcFormat == "hcl" || srcFormat == "json"
|
|
}
|
|
|
|
func formatFromFileExtension(name string) string {
|
|
switch {
|
|
case strings.HasSuffix(name, ".json"):
|
|
return "json"
|
|
case strings.HasSuffix(name, ".hcl"):
|
|
return "hcl"
|
|
default:
|
|
return ""
|
|
}
|
|
}
|
|
|
|
type byName []os.FileInfo
|
|
|
|
func (a byName) Len() int { return len(a) }
|
|
func (a byName) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
|
func (a byName) Less(i, j int) bool { return a[i].Name() < a[j].Name() }
|
|
|
|
// build constructs the runtime configuration from the config sources
|
|
// and the command line flags. The config sources are processed in the
|
|
// order they were added with the flags being processed last to give
|
|
// precedence over the other sources. If the error is nil then
|
|
// warnings can still contain deprecation or format warnings that should
|
|
// be presented to the user.
|
|
func (b *builder) build() (rt RuntimeConfig, err error) {
|
|
srcs := make([]Source, 0, len(b.Head)+len(b.Sources)+len(b.Tail))
|
|
srcs = append(srcs, b.Head...)
|
|
srcs = append(srcs, b.Sources...)
|
|
srcs = append(srcs, b.Tail...)
|
|
|
|
// parse the config sources into a configuration
|
|
var c Config
|
|
for _, s := range srcs {
|
|
|
|
c2, md, err := s.Parse()
|
|
switch {
|
|
case err == ErrNoData:
|
|
continue
|
|
case err != nil:
|
|
return RuntimeConfig{}, fmt.Errorf("failed to parse %v: %w", s.Source(), err)
|
|
}
|
|
|
|
var unusedErr error
|
|
for _, k := range md.Unused {
|
|
switch {
|
|
case k == "acl_enforce_version_8":
|
|
b.warn("config key %q is deprecated and should be removed", k)
|
|
case strings.HasPrefix(k, "audit.sink[") && strings.HasSuffix(k, "].name"):
|
|
b.warn("config key audit.sink[].name is deprecated and should be removed")
|
|
default:
|
|
unusedErr = multierror.Append(unusedErr, fmt.Errorf("invalid config key %s", k))
|
|
}
|
|
}
|
|
if unusedErr != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("failed to parse %v: %s", s.Source(), unusedErr)
|
|
}
|
|
|
|
for _, err := range validateEnterpriseConfigKeys(&c2) {
|
|
b.warn("%s", err)
|
|
}
|
|
b.Warnings = append(b.Warnings, md.Warnings...)
|
|
|
|
// if we have a single 'check' or 'service' we need to add them to the
|
|
// list of checks and services first since we cannot merge them
|
|
// generically and later values would clobber earlier ones.
|
|
// TODO: move to applyDeprecatedConfig
|
|
if c2.Check != nil {
|
|
c2.Checks = append(c2.Checks, *c2.Check)
|
|
c2.Check = nil
|
|
}
|
|
if c2.Service != nil {
|
|
c2.Services = append(c2.Services, *c2.Service)
|
|
c2.Service = nil
|
|
}
|
|
c = Merge(c, c2)
|
|
}
|
|
|
|
// ----------------------------------------------------------------
|
|
// process/merge some complex values
|
|
//
|
|
|
|
dnsServiceTTL := map[string]time.Duration{}
|
|
for k, v := range c.DNS.ServiceTTL {
|
|
dnsServiceTTL[k] = b.durationVal(fmt.Sprintf("dns_config.service_ttl[%q]", k), &v)
|
|
}
|
|
|
|
soa := RuntimeSOAConfig{Refresh: 3600, Retry: 600, Expire: 86400, Minttl: 0}
|
|
if c.DNS.SOA != nil {
|
|
if c.DNS.SOA.Expire != nil {
|
|
soa.Expire = *c.DNS.SOA.Expire
|
|
}
|
|
if c.DNS.SOA.Minttl != nil {
|
|
soa.Minttl = *c.DNS.SOA.Minttl
|
|
}
|
|
if c.DNS.SOA.Refresh != nil {
|
|
soa.Refresh = *c.DNS.SOA.Refresh
|
|
}
|
|
if c.DNS.SOA.Retry != nil {
|
|
soa.Retry = *c.DNS.SOA.Retry
|
|
}
|
|
}
|
|
|
|
leaveOnTerm := !boolVal(c.ServerMode)
|
|
if c.LeaveOnTerm != nil {
|
|
leaveOnTerm = boolVal(c.LeaveOnTerm)
|
|
}
|
|
|
|
skipLeaveOnInt := boolVal(c.ServerMode)
|
|
if c.SkipLeaveOnInt != nil {
|
|
skipLeaveOnInt = boolVal(c.SkipLeaveOnInt)
|
|
}
|
|
|
|
// ----------------------------------------------------------------
|
|
// checks and services
|
|
//
|
|
|
|
var checks []*structs.CheckDefinition
|
|
if c.Check != nil {
|
|
checks = append(checks, b.checkVal(c.Check))
|
|
}
|
|
for _, check := range c.Checks {
|
|
checks = append(checks, b.checkVal(&check))
|
|
}
|
|
|
|
var services []*structs.ServiceDefinition
|
|
for _, service := range c.Services {
|
|
services = append(services, b.serviceVal(&service))
|
|
}
|
|
if c.Service != nil {
|
|
services = append(services, b.serviceVal(c.Service))
|
|
}
|
|
|
|
// ----------------------------------------------------------------
|
|
// addresses
|
|
//
|
|
|
|
// determine port values and replace values <= 0 and > 65535 with -1
|
|
dnsPort := b.portVal("ports.dns", c.Ports.DNS)
|
|
httpPort := b.portVal("ports.http", c.Ports.HTTP)
|
|
httpsPort := b.portVal("ports.https", c.Ports.HTTPS)
|
|
serverPort := b.portVal("ports.server", c.Ports.Server)
|
|
grpcPort := b.portVal("ports.grpc", c.Ports.GRPC)
|
|
grpcTlsPort := b.portVal("ports.grpc_tls", c.Ports.GRPCTLS)
|
|
// default gRPC TLS port for servers is 8503
|
|
if c.Ports.GRPCTLS == nil && boolVal(c.ServerMode) {
|
|
grpcTlsPort = 8503
|
|
}
|
|
serfPortLAN := b.portVal("ports.serf_lan", c.Ports.SerfLAN)
|
|
serfPortWAN := b.portVal("ports.serf_wan", c.Ports.SerfWAN)
|
|
proxyMinPort := b.portVal("ports.proxy_min_port", c.Ports.ProxyMinPort)
|
|
proxyMaxPort := b.portVal("ports.proxy_max_port", c.Ports.ProxyMaxPort)
|
|
sidecarMinPort := b.portVal("ports.sidecar_min_port", c.Ports.SidecarMinPort)
|
|
sidecarMaxPort := b.portVal("ports.sidecar_max_port", c.Ports.SidecarMaxPort)
|
|
exposeMinPort := b.portVal("ports.expose_min_port", c.Ports.ExposeMinPort)
|
|
exposeMaxPort := b.portVal("ports.expose_max_port", c.Ports.ExposeMaxPort)
|
|
if serverPort <= 0 {
|
|
return RuntimeConfig{}, fmt.Errorf(
|
|
"server-port must be greater than zero")
|
|
}
|
|
if serfPortLAN <= 0 {
|
|
return RuntimeConfig{}, fmt.Errorf(
|
|
"serf-lan-port must be greater than zero")
|
|
}
|
|
if proxyMaxPort < proxyMinPort {
|
|
return RuntimeConfig{}, fmt.Errorf(
|
|
"proxy_min_port must be less than proxy_max_port. To disable, set both to zero.")
|
|
}
|
|
if sidecarMaxPort < sidecarMinPort {
|
|
return RuntimeConfig{}, fmt.Errorf(
|
|
"sidecar_min_port must be less than sidecar_max_port. To disable, set both to zero.")
|
|
}
|
|
if exposeMaxPort < exposeMinPort {
|
|
return RuntimeConfig{}, fmt.Errorf(
|
|
"expose_min_port must be less than expose_max_port. To disable, set both to zero.")
|
|
}
|
|
|
|
// determine the default bind and advertise address
|
|
//
|
|
// First check whether the user provided an ANY address or whether
|
|
// the expanded template results in an ANY address. In that case we
|
|
// derive an advertise address from the current network
|
|
// configuration since we can listen on an ANY address for incoming
|
|
// traffic but cannot advertise it as the address on which the
|
|
// server can be reached.
|
|
|
|
bindAddrs := b.expandAddrs("bind_addr", c.BindAddr)
|
|
if len(bindAddrs) == 0 {
|
|
return RuntimeConfig{}, fmt.Errorf("bind_addr cannot be empty")
|
|
}
|
|
if len(bindAddrs) > 1 {
|
|
return RuntimeConfig{}, fmt.Errorf("bind_addr cannot contain multiple addresses. Use 'addresses.{dns,http,https}' instead.")
|
|
}
|
|
if isUnixAddr(bindAddrs[0]) {
|
|
return RuntimeConfig{}, fmt.Errorf("bind_addr cannot be a unix socket")
|
|
}
|
|
if !isIPAddr(bindAddrs[0]) {
|
|
return RuntimeConfig{}, fmt.Errorf("bind_addr must be an ip address")
|
|
}
|
|
if ipaddr.IsAny(stringVal(c.AdvertiseAddrLAN)) {
|
|
return RuntimeConfig{}, fmt.Errorf("Advertise address cannot be 0.0.0.0, :: or [::]")
|
|
}
|
|
if ipaddr.IsAny(stringVal(c.AdvertiseAddrWAN)) {
|
|
return RuntimeConfig{}, fmt.Errorf("Advertise WAN address cannot be 0.0.0.0, :: or [::]")
|
|
}
|
|
|
|
bindAddr := bindAddrs[0].(*net.IPAddr)
|
|
advertiseAddr := makeIPAddr(b.expandFirstIP("advertise_addr", c.AdvertiseAddrLAN), bindAddr)
|
|
|
|
if ipaddr.IsAny(advertiseAddr) {
|
|
addrtyp, detect := advertiseAddrFunc(b.opts, advertiseAddr)
|
|
advertiseAddrs, err := detect()
|
|
if err != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("Error detecting %s address: %s", addrtyp, err)
|
|
}
|
|
if len(advertiseAddrs) == 0 {
|
|
return RuntimeConfig{}, fmt.Errorf("No %s address found", addrtyp)
|
|
}
|
|
if len(advertiseAddrs) > 1 {
|
|
return RuntimeConfig{}, fmt.Errorf("Multiple %s addresses found. Please configure one with 'bind' and/or 'advertise'.", addrtyp)
|
|
}
|
|
advertiseAddr = advertiseAddrs[0]
|
|
}
|
|
|
|
// derive other bind addresses from the bindAddr
|
|
rpcBindAddr := b.makeTCPAddr(bindAddr, nil, serverPort)
|
|
serfBindAddrLAN := b.makeTCPAddr(b.expandFirstIP("serf_lan", c.SerfBindAddrLAN), bindAddr, serfPortLAN)
|
|
|
|
// Only initialize serf WAN bind address when its enabled
|
|
var serfBindAddrWAN *net.TCPAddr
|
|
if serfPortWAN >= 0 {
|
|
serfBindAddrWAN = b.makeTCPAddr(b.expandFirstIP("serf_wan", c.SerfBindAddrWAN), bindAddr, serfPortWAN)
|
|
}
|
|
|
|
// derive other advertise addresses from the advertise address
|
|
advertiseAddrLAN := makeIPAddr(b.expandFirstIP("advertise_addr", c.AdvertiseAddrLAN), advertiseAddr)
|
|
advertiseAddrIsV6 := advertiseAddr.IP.To4() == nil
|
|
var advertiseAddrV4, advertiseAddrV6 *net.IPAddr
|
|
if !advertiseAddrIsV6 {
|
|
advertiseAddrV4 = advertiseAddr
|
|
} else {
|
|
advertiseAddrV6 = advertiseAddr
|
|
}
|
|
advertiseAddrLANIPv4 := makeIPAddr(b.expandFirstIP("advertise_addr_ipv4", c.AdvertiseAddrLANIPv4), advertiseAddrV4)
|
|
if advertiseAddrLANIPv4 != nil && advertiseAddrLANIPv4.IP.To4() == nil {
|
|
return RuntimeConfig{}, fmt.Errorf("advertise_addr_ipv4 must be an ipv4 address")
|
|
}
|
|
advertiseAddrLANIPv6 := makeIPAddr(b.expandFirstIP("advertise_addr_ipv6", c.AdvertiseAddrLANIPv6), advertiseAddrV6)
|
|
if advertiseAddrLANIPv6 != nil && advertiseAddrLANIPv6.IP.To4() != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("advertise_addr_ipv6 must be an ipv6 address")
|
|
}
|
|
|
|
advertiseAddrWAN := makeIPAddr(b.expandFirstIP("advertise_addr_wan", c.AdvertiseAddrWAN), advertiseAddrLAN)
|
|
advertiseAddrWANIsV6 := advertiseAddrWAN.IP.To4() == nil
|
|
var advertiseAddrWANv4, advertiseAddrWANv6 *net.IPAddr
|
|
if !advertiseAddrWANIsV6 {
|
|
advertiseAddrWANv4 = advertiseAddrWAN
|
|
} else {
|
|
advertiseAddrWANv6 = advertiseAddrWAN
|
|
}
|
|
advertiseAddrWANIPv4 := makeIPAddr(b.expandFirstIP("advertise_addr_wan_ipv4", c.AdvertiseAddrWANIPv4), advertiseAddrWANv4)
|
|
if advertiseAddrWANIPv4 != nil && advertiseAddrWANIPv4.IP.To4() == nil {
|
|
return RuntimeConfig{}, fmt.Errorf("advertise_addr_wan_ipv4 must be an ipv4 address")
|
|
}
|
|
advertiseAddrWANIPv6 := makeIPAddr(b.expandFirstIP("advertise_addr_wan_ipv6", c.AdvertiseAddrWANIPv6), advertiseAddrWANv6)
|
|
if advertiseAddrWANIPv6 != nil && advertiseAddrWANIPv6.IP.To4() != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("advertise_addr_wan_ipv6 must be an ipv6 address")
|
|
}
|
|
|
|
rpcAdvertiseAddr := &net.TCPAddr{IP: advertiseAddrLAN.IP, Port: serverPort}
|
|
serfAdvertiseAddrLAN := &net.TCPAddr{IP: advertiseAddrLAN.IP, Port: serfPortLAN}
|
|
// Only initialize serf WAN advertise address when its enabled
|
|
var serfAdvertiseAddrWAN *net.TCPAddr
|
|
if serfPortWAN >= 0 {
|
|
serfAdvertiseAddrWAN = &net.TCPAddr{IP: advertiseAddrWAN.IP, Port: serfPortWAN}
|
|
}
|
|
|
|
// determine client addresses
|
|
clientAddrs := b.expandIPs("client_addr", c.ClientAddr)
|
|
if len(clientAddrs) == 0 {
|
|
b.warn("client_addr is empty, client services (DNS, HTTP, HTTPS, GRPC) will not be listening for connections")
|
|
}
|
|
dnsAddrs := b.makeAddrs(b.expandAddrs("addresses.dns", c.Addresses.DNS), clientAddrs, dnsPort)
|
|
httpAddrs := b.makeAddrs(b.expandAddrs("addresses.http", c.Addresses.HTTP), clientAddrs, httpPort)
|
|
httpsAddrs := b.makeAddrs(b.expandAddrs("addresses.https", c.Addresses.HTTPS), clientAddrs, httpsPort)
|
|
grpcAddrs := b.makeAddrs(b.expandAddrs("addresses.grpc", c.Addresses.GRPC), clientAddrs, grpcPort)
|
|
grpcTlsAddrs := b.makeAddrs(b.expandAddrs("addresses.grpc_tls", c.Addresses.GRPCTLS), clientAddrs, grpcTlsPort)
|
|
|
|
for _, a := range dnsAddrs {
|
|
if x, ok := a.(*net.TCPAddr); ok {
|
|
dnsAddrs = append(dnsAddrs, &net.UDPAddr{IP: x.IP, Port: x.Port})
|
|
}
|
|
}
|
|
|
|
// expand dns recursors
|
|
uniq := map[string]bool{}
|
|
dnsRecursors := []string{}
|
|
for _, r := range c.DNSRecursors {
|
|
x, err := template.Parse(r)
|
|
if err != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("Invalid DNS recursor template %q: %s", r, err)
|
|
}
|
|
for _, addr := range strings.Fields(x) {
|
|
if strings.HasPrefix(addr, "unix://") {
|
|
return RuntimeConfig{}, fmt.Errorf("DNS Recursors cannot be unix sockets: %s", addr)
|
|
}
|
|
if uniq[addr] {
|
|
continue
|
|
}
|
|
uniq[addr] = true
|
|
dnsRecursors = append(dnsRecursors, addr)
|
|
}
|
|
}
|
|
|
|
datacenter := strings.ToLower(stringVal(c.Datacenter))
|
|
altDomain := stringVal(c.DNSAltDomain)
|
|
|
|
// Create the default set of tagged addresses.
|
|
if c.TaggedAddresses == nil {
|
|
c.TaggedAddresses = make(map[string]string)
|
|
}
|
|
|
|
c.TaggedAddresses[structs.TaggedAddressLAN] = advertiseAddrLAN.IP.String()
|
|
if advertiseAddrLANIPv4 != nil {
|
|
c.TaggedAddresses[structs.TaggedAddressLANIPv4] = advertiseAddrLANIPv4.IP.String()
|
|
}
|
|
if advertiseAddrLANIPv6 != nil {
|
|
c.TaggedAddresses[structs.TaggedAddressLANIPv6] = advertiseAddrLANIPv6.IP.String()
|
|
}
|
|
|
|
c.TaggedAddresses[structs.TaggedAddressWAN] = advertiseAddrWAN.IP.String()
|
|
if advertiseAddrWANIPv4 != nil {
|
|
c.TaggedAddresses[structs.TaggedAddressWANIPv4] = advertiseAddrWANIPv4.IP.String()
|
|
}
|
|
if advertiseAddrWANIPv6 != nil {
|
|
c.TaggedAddresses[structs.TaggedAddressWANIPv6] = advertiseAddrWANIPv6.IP.String()
|
|
}
|
|
|
|
// segments
|
|
var segments []structs.NetworkSegment
|
|
for _, s := range c.Segments {
|
|
name := stringVal(s.Name)
|
|
port := b.portVal(fmt.Sprintf("segments[%s].port", name), s.Port)
|
|
if port <= 0 {
|
|
return RuntimeConfig{}, fmt.Errorf("Port for segment %q cannot be <= 0", name)
|
|
}
|
|
|
|
bind := b.makeTCPAddr(
|
|
b.expandFirstIP(fmt.Sprintf("segments[%s].bind", name), s.Bind),
|
|
bindAddr,
|
|
port,
|
|
)
|
|
|
|
advertise := b.makeTCPAddr(
|
|
b.expandFirstIP(fmt.Sprintf("segments[%s].advertise", name), s.Advertise),
|
|
advertiseAddrLAN,
|
|
port,
|
|
)
|
|
|
|
segments = append(segments, structs.NetworkSegment{
|
|
Name: name,
|
|
Bind: bind,
|
|
Advertise: advertise,
|
|
RPCListener: boolVal(s.RPCListener),
|
|
})
|
|
}
|
|
|
|
// Parse the metric filters
|
|
telemetryAllowedPrefixes, telemetryBlockedPrefixes := b.parsePrefixFilter(&c.Telemetry)
|
|
|
|
// raft performance scaling
|
|
performanceRaftMultiplier := intVal(c.Performance.RaftMultiplier)
|
|
if performanceRaftMultiplier < 1 || uint(performanceRaftMultiplier) > consul.MaxRaftMultiplier {
|
|
return RuntimeConfig{}, fmt.Errorf("performance.raft_multiplier cannot be %d. Must be between 1 and %d", performanceRaftMultiplier, consul.MaxRaftMultiplier)
|
|
}
|
|
consulRaftElectionTimeout := b.durationVal("consul.raft.election_timeout", c.Consul.Raft.ElectionTimeout) * time.Duration(performanceRaftMultiplier)
|
|
consulRaftHeartbeatTimeout := b.durationVal("consul.raft.heartbeat_timeout", c.Consul.Raft.HeartbeatTimeout) * time.Duration(performanceRaftMultiplier)
|
|
consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
|
|
|
|
// Connect
|
|
connectEnabled := boolVal(c.Connect.Enabled)
|
|
connectCAProvider := stringVal(c.Connect.CAProvider)
|
|
connectCAConfig := c.Connect.CAConfig
|
|
|
|
// autoEncrypt and autoConfig implicitly turns on connect which is why
|
|
// they need to be above other settings that rely on connect.
|
|
autoEncryptDNSSAN := []string{}
|
|
for _, d := range c.AutoEncrypt.DNSSAN {
|
|
autoEncryptDNSSAN = append(autoEncryptDNSSAN, d)
|
|
}
|
|
autoEncryptIPSAN := []net.IP{}
|
|
for _, i := range c.AutoEncrypt.IPSAN {
|
|
ip := net.ParseIP(i)
|
|
if ip == nil {
|
|
b.warn(fmt.Sprintf("Cannot parse ip %q from AutoEncrypt.IPSAN", i))
|
|
continue
|
|
}
|
|
autoEncryptIPSAN = append(autoEncryptIPSAN, ip)
|
|
|
|
}
|
|
autoEncryptAllowTLS := boolVal(c.AutoEncrypt.AllowTLS)
|
|
autoConfig := b.autoConfigVal(c.AutoConfig, stringVal(c.Partition))
|
|
if autoEncryptAllowTLS || autoConfig.Enabled {
|
|
connectEnabled = true
|
|
}
|
|
|
|
// Connect proxy defaults
|
|
connectMeshGatewayWANFederationEnabled := boolVal(c.Connect.MeshGatewayWANFederationEnabled)
|
|
if connectMeshGatewayWANFederationEnabled && !connectEnabled {
|
|
return RuntimeConfig{}, fmt.Errorf("'connect.enable_mesh_gateway_wan_federation=true' requires 'connect.enabled=true'")
|
|
}
|
|
if connectCAConfig != nil {
|
|
// nolint: staticcheck // CA config should be changed to use HookTranslateKeys
|
|
lib.TranslateKeys(connectCAConfig, map[string]string{
|
|
// Consul CA config
|
|
"private_key": "PrivateKey",
|
|
"root_cert": "RootCert",
|
|
"intermediate_cert_ttl": "IntermediateCertTTL",
|
|
|
|
// Vault CA config
|
|
"address": "Address",
|
|
"token": "Token",
|
|
"root_pki_path": "RootPKIPath",
|
|
"root_pki_namespace": "RootPKINamespace",
|
|
"intermediate_pki_path": "IntermediatePKIPath",
|
|
"intermediate_pki_namespace": "IntermediatePKINamespace",
|
|
"ca_file": "CAFile",
|
|
"ca_path": "CAPath",
|
|
"cert_file": "CertFile",
|
|
"key_file": "KeyFile",
|
|
"tls_server_name": "TLSServerName",
|
|
"tls_skip_verify": "TLSSkipVerify",
|
|
|
|
// AWS CA config
|
|
"existing_arn": "ExistingARN",
|
|
"delete_on_exit": "DeleteOnExit",
|
|
|
|
// Common CA config
|
|
"leaf_cert_ttl": "LeafCertTTL",
|
|
"csr_max_per_second": "CSRMaxPerSecond",
|
|
"csr_max_concurrent": "CSRMaxConcurrent",
|
|
"private_key_type": "PrivateKeyType",
|
|
"private_key_bits": "PrivateKeyBits",
|
|
"root_cert_ttl": "RootCertTTL",
|
|
})
|
|
}
|
|
|
|
aclsEnabled := false
|
|
primaryDatacenter := strings.ToLower(stringVal(c.PrimaryDatacenter))
|
|
|
|
if c.ACL.Enabled != nil {
|
|
aclsEnabled = boolVal(c.ACL.Enabled)
|
|
}
|
|
|
|
// Set the primary DC if it wasn't set.
|
|
if primaryDatacenter == "" {
|
|
primaryDatacenter = datacenter
|
|
}
|
|
|
|
enableRemoteScriptChecks := boolVal(c.EnableScriptChecks)
|
|
enableLocalScriptChecks := boolValWithDefault(c.EnableLocalScriptChecks, enableRemoteScriptChecks)
|
|
|
|
var configEntries []structs.ConfigEntry
|
|
|
|
if len(c.ConfigEntries.Bootstrap) > 0 {
|
|
for i, rawEntry := range c.ConfigEntries.Bootstrap {
|
|
entry, err := structs.DecodeConfigEntry(rawEntry)
|
|
if err != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("config_entries.bootstrap[%d]: %s", i, err)
|
|
}
|
|
if err := entry.Normalize(); err != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("config_entries.bootstrap[%d]: %s", i, err)
|
|
}
|
|
if err := entry.Validate(); err != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("config_entries.bootstrap[%d]: %w", i, err)
|
|
}
|
|
configEntries = append(configEntries, entry)
|
|
}
|
|
}
|
|
|
|
serfAllowedCIDRSLAN, err := memberlist.ParseCIDRs(c.SerfAllowedCIDRsLAN)
|
|
if err != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("serf_lan_allowed_cidrs: %s", err)
|
|
}
|
|
serfAllowedCIDRSWAN, err := memberlist.ParseCIDRs(c.SerfAllowedCIDRsWAN)
|
|
if err != nil {
|
|
return RuntimeConfig{}, fmt.Errorf("serf_wan_allowed_cidrs: %s", err)
|
|
}
|
|
|
|
// Handle Deprecated UI config fields
|
|
if c.UI != nil {
|
|
b.warn("The 'ui' field is deprecated. Use the 'ui_config.enabled' field instead.")
|
|
if c.UIConfig.Enabled == nil {
|
|
c.UIConfig.Enabled = c.UI
|
|
}
|
|
}
|
|
if c.UIDir != nil {
|
|
b.warn("The 'ui_dir' field is deprecated. Use the 'ui_config.dir' field instead.")
|
|
if c.UIConfig.Dir == nil {
|
|
c.UIConfig.Dir = c.UIDir
|
|
}
|
|
}
|
|
if c.UIContentPath != nil {
|
|
b.warn("The 'ui_content_path' field is deprecated. Use the 'ui_config.content_path' field instead.")
|
|
if c.UIConfig.ContentPath == nil {
|
|
c.UIConfig.ContentPath = c.UIContentPath
|
|
}
|
|
}
|
|
|
|
serverMode := boolVal(c.ServerMode)
|
|
|
|
// ----------------------------------------------------------------
|
|
// build runtime config
|
|
//
|
|
dataDir := stringVal(c.DataDir)
|
|
rt = RuntimeConfig{
|
|
// non-user configurable values
|
|
AEInterval: b.durationVal("ae_interval", c.AEInterval),
|
|
CheckDeregisterIntervalMin: b.durationVal("check_deregister_interval_min", c.CheckDeregisterIntervalMin),
|
|
CheckReapInterval: b.durationVal("check_reap_interval", c.CheckReapInterval),
|
|
Revision: stringVal(c.Revision),
|
|
SegmentNameLimit: intVal(c.SegmentNameLimit),
|
|
SyncCoordinateIntervalMin: b.durationVal("sync_coordinate_interval_min", c.SyncCoordinateIntervalMin),
|
|
SyncCoordinateRateTarget: float64Val(c.SyncCoordinateRateTarget),
|
|
Version: stringVal(c.Version),
|
|
VersionPrerelease: stringVal(c.VersionPrerelease),
|
|
VersionMetadata: stringVal(c.VersionMetadata),
|
|
// What is a sensible default for BuildDate?
|
|
BuildDate: timeValWithDefault(c.BuildDate, time.Date(1970, 1, 00, 00, 00, 01, 0, time.UTC)),
|
|
|
|
// consul configuration
|
|
ConsulCoordinateUpdateBatchSize: intVal(c.Consul.Coordinate.UpdateBatchSize),
|
|
ConsulCoordinateUpdateMaxBatches: intVal(c.Consul.Coordinate.UpdateMaxBatches),
|
|
ConsulCoordinateUpdatePeriod: b.durationVal("consul.coordinate.update_period", c.Consul.Coordinate.UpdatePeriod),
|
|
ConsulRaftElectionTimeout: consulRaftElectionTimeout,
|
|
ConsulRaftHeartbeatTimeout: consulRaftHeartbeatTimeout,
|
|
ConsulRaftLeaderLeaseTimeout: consulRaftLeaderLeaseTimeout,
|
|
ConsulServerHealthInterval: b.durationVal("consul.server.health_interval", c.Consul.Server.HealthInterval),
|
|
|
|
// gossip configuration
|
|
GossipLANGossipInterval: b.durationVal("gossip_lan..gossip_interval", c.GossipLAN.GossipInterval),
|
|
GossipLANGossipNodes: intVal(c.GossipLAN.GossipNodes),
|
|
Locality: c.Locality,
|
|
GossipLANProbeInterval: b.durationVal("gossip_lan..probe_interval", c.GossipLAN.ProbeInterval),
|
|
GossipLANProbeTimeout: b.durationVal("gossip_lan..probe_timeout", c.GossipLAN.ProbeTimeout),
|
|
GossipLANSuspicionMult: intVal(c.GossipLAN.SuspicionMult),
|
|
GossipLANRetransmitMult: intVal(c.GossipLAN.RetransmitMult),
|
|
GossipWANGossipInterval: b.durationVal("gossip_wan..gossip_interval", c.GossipWAN.GossipInterval),
|
|
GossipWANGossipNodes: intVal(c.GossipWAN.GossipNodes),
|
|
GossipWANProbeInterval: b.durationVal("gossip_wan..probe_interval", c.GossipWAN.ProbeInterval),
|
|
GossipWANProbeTimeout: b.durationVal("gossip_wan..probe_timeout", c.GossipWAN.ProbeTimeout),
|
|
GossipWANSuspicionMult: intVal(c.GossipWAN.SuspicionMult),
|
|
GossipWANRetransmitMult: intVal(c.GossipWAN.RetransmitMult),
|
|
|
|
// ACL
|
|
ACLsEnabled: aclsEnabled,
|
|
ACLResolverSettings: consul.ACLResolverSettings{
|
|
ACLsEnabled: aclsEnabled,
|
|
Datacenter: datacenter,
|
|
NodeName: b.nodeName(c.NodeName),
|
|
ACLPolicyTTL: b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
|
|
ACLTokenTTL: b.durationVal("acl.token_ttl", c.ACL.TokenTTL),
|
|
ACLRoleTTL: b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
|
|
ACLDownPolicy: stringVal(c.ACL.DownPolicy),
|
|
ACLDefaultPolicy: stringVal(c.ACL.DefaultPolicy),
|
|
},
|
|
|
|
ACLEnableKeyListPolicy: boolVal(c.ACL.EnableKeyListPolicy),
|
|
ACLInitialManagementToken: stringVal(c.ACL.Tokens.InitialManagement),
|
|
|
|
ACLTokenReplication: boolVal(c.ACL.TokenReplication),
|
|
|
|
ACLTokens: token.Config{
|
|
DataDir: dataDir,
|
|
EnablePersistence: boolValWithDefault(c.ACL.EnableTokenPersistence, false),
|
|
ACLDefaultToken: stringVal(c.ACL.Tokens.Default),
|
|
ACLAgentToken: stringVal(c.ACL.Tokens.Agent),
|
|
ACLAgentRecoveryToken: stringVal(c.ACL.Tokens.AgentRecovery),
|
|
ACLReplicationToken: stringVal(c.ACL.Tokens.Replication),
|
|
ACLConfigFileRegistrationToken: stringVal(c.ACL.Tokens.ConfigFileRegistration),
|
|
},
|
|
|
|
// Autopilot
|
|
AutopilotCleanupDeadServers: boolVal(c.Autopilot.CleanupDeadServers),
|
|
AutopilotDisableUpgradeMigration: boolVal(c.Autopilot.DisableUpgradeMigration),
|
|
AutopilotLastContactThreshold: b.durationVal("autopilot.last_contact_threshold", c.Autopilot.LastContactThreshold),
|
|
AutopilotMaxTrailingLogs: intVal(c.Autopilot.MaxTrailingLogs),
|
|
AutopilotMinQuorum: uintVal(c.Autopilot.MinQuorum),
|
|
AutopilotRedundancyZoneTag: stringVal(c.Autopilot.RedundancyZoneTag),
|
|
AutopilotServerStabilizationTime: b.durationVal("autopilot.server_stabilization_time", c.Autopilot.ServerStabilizationTime),
|
|
AutopilotUpgradeVersionTag: stringVal(c.Autopilot.UpgradeVersionTag),
|
|
|
|
// DNS
|
|
DNSAddrs: dnsAddrs,
|
|
DNSAllowStale: boolVal(c.DNS.AllowStale),
|
|
DNSARecordLimit: intVal(c.DNS.ARecordLimit),
|
|
DNSDisableCompression: boolVal(c.DNS.DisableCompression),
|
|
DNSDomain: stringVal(c.DNSDomain),
|
|
DNSAltDomain: altDomain,
|
|
DNSEnableTruncate: boolVal(c.DNS.EnableTruncate),
|
|
DNSMaxStale: b.durationVal("dns_config.max_stale", c.DNS.MaxStale),
|
|
DNSNodeTTL: b.durationVal("dns_config.node_ttl", c.DNS.NodeTTL),
|
|
DNSOnlyPassing: boolVal(c.DNS.OnlyPassing),
|
|
DNSPort: dnsPort,
|
|
DNSRecursorStrategy: b.dnsRecursorStrategyVal(stringVal(c.DNS.RecursorStrategy)),
|
|
DNSRecursorTimeout: b.durationVal("recursor_timeout", c.DNS.RecursorTimeout),
|
|
DNSRecursors: dnsRecursors,
|
|
DNSServiceTTL: dnsServiceTTL,
|
|
DNSSOA: soa,
|
|
DNSUDPAnswerLimit: intVal(c.DNS.UDPAnswerLimit),
|
|
DNSNodeMetaTXT: boolValWithDefault(c.DNS.NodeMetaTXT, true),
|
|
DNSUseCache: boolVal(c.DNS.UseCache),
|
|
DNSCacheMaxAge: b.durationVal("dns_config.cache_max_age", c.DNS.CacheMaxAge),
|
|
|
|
// HTTP
|
|
HTTPPort: httpPort,
|
|
HTTPSPort: httpsPort,
|
|
HTTPAddrs: httpAddrs,
|
|
HTTPSAddrs: httpsAddrs,
|
|
HTTPBlockEndpoints: c.HTTPConfig.BlockEndpoints,
|
|
HTTPMaxHeaderBytes: intVal(c.HTTPConfig.MaxHeaderBytes),
|
|
HTTPResponseHeaders: c.HTTPConfig.ResponseHeaders,
|
|
AllowWriteHTTPFrom: b.cidrsVal("allow_write_http_from", c.HTTPConfig.AllowWriteHTTPFrom),
|
|
HTTPUseCache: boolValWithDefault(c.HTTPConfig.UseCache, true),
|
|
|
|
// Telemetry
|
|
Telemetry: lib.TelemetryConfig{
|
|
CirconusAPIApp: stringVal(c.Telemetry.CirconusAPIApp),
|
|
CirconusAPIToken: stringVal(c.Telemetry.CirconusAPIToken),
|
|
CirconusAPIURL: stringVal(c.Telemetry.CirconusAPIURL),
|
|
CirconusBrokerID: stringVal(c.Telemetry.CirconusBrokerID),
|
|
CirconusBrokerSelectTag: stringVal(c.Telemetry.CirconusBrokerSelectTag),
|
|
CirconusCheckDisplayName: stringVal(c.Telemetry.CirconusCheckDisplayName),
|
|
CirconusCheckForceMetricActivation: stringVal(c.Telemetry.CirconusCheckForceMetricActivation),
|
|
CirconusCheckID: stringVal(c.Telemetry.CirconusCheckID),
|
|
CirconusCheckInstanceID: stringVal(c.Telemetry.CirconusCheckInstanceID),
|
|
CirconusCheckSearchTag: stringVal(c.Telemetry.CirconusCheckSearchTag),
|
|
CirconusCheckTags: stringVal(c.Telemetry.CirconusCheckTags),
|
|
CirconusSubmissionInterval: stringVal(c.Telemetry.CirconusSubmissionInterval),
|
|
CirconusSubmissionURL: stringVal(c.Telemetry.CirconusSubmissionURL),
|
|
DisableHostname: boolVal(c.Telemetry.DisableHostname),
|
|
DogstatsdAddr: stringVal(c.Telemetry.DogstatsdAddr),
|
|
DogstatsdTags: c.Telemetry.DogstatsdTags,
|
|
RetryFailedConfiguration: boolVal(c.Telemetry.RetryFailedConfiguration),
|
|
FilterDefault: boolVal(c.Telemetry.FilterDefault),
|
|
AllowedPrefixes: telemetryAllowedPrefixes,
|
|
BlockedPrefixes: telemetryBlockedPrefixes,
|
|
MetricsPrefix: stringVal(c.Telemetry.MetricsPrefix),
|
|
StatsdAddr: stringVal(c.Telemetry.StatsdAddr),
|
|
StatsiteAddr: stringVal(c.Telemetry.StatsiteAddr),
|
|
PrometheusOpts: prometheus.PrometheusOpts{
|
|
Expiration: b.durationVal("prometheus_retention_time", c.Telemetry.PrometheusRetentionTime),
|
|
Name: stringVal(c.Telemetry.MetricsPrefix),
|
|
},
|
|
},
|
|
|
|
// Agent
|
|
AdvertiseAddrLAN: advertiseAddrLAN,
|
|
AdvertiseAddrWAN: advertiseAddrWAN,
|
|
AdvertiseReconnectTimeout: b.durationVal("advertise_reconnect_timeout", c.AdvertiseReconnectTimeout),
|
|
BindAddr: bindAddr,
|
|
Bootstrap: boolVal(c.Bootstrap),
|
|
BootstrapExpect: intVal(c.BootstrapExpect),
|
|
Cache: cache.Options{
|
|
EntryFetchRate: limitValWithDefault(
|
|
c.Cache.EntryFetchRate, float64(cache.DefaultEntryFetchRate),
|
|
),
|
|
EntryFetchMaxBurst: intValWithDefault(
|
|
c.Cache.EntryFetchMaxBurst, cache.DefaultEntryFetchMaxBurst,
|
|
),
|
|
},
|
|
AutoReloadConfig: boolVal(c.AutoReloadConfig),
|
|
CheckUpdateInterval: b.durationVal("check_update_interval", c.CheckUpdateInterval),
|
|
CheckOutputMaxSize: intValWithDefault(c.CheckOutputMaxSize, 4096),
|
|
Checks: checks,
|
|
ClientAddrs: clientAddrs,
|
|
ConfigEntryBootstrap: configEntries,
|
|
AutoEncryptTLS: boolVal(c.AutoEncrypt.TLS),
|
|
AutoEncryptDNSSAN: autoEncryptDNSSAN,
|
|
AutoEncryptIPSAN: autoEncryptIPSAN,
|
|
AutoEncryptAllowTLS: autoEncryptAllowTLS,
|
|
AutoConfig: autoConfig,
|
|
Cloud: b.cloudConfigVal(c.Cloud),
|
|
ConnectEnabled: connectEnabled,
|
|
ConnectCAProvider: connectCAProvider,
|
|
ConnectCAConfig: connectCAConfig,
|
|
ConnectMeshGatewayWANFederationEnabled: connectMeshGatewayWANFederationEnabled,
|
|
ConnectSidecarMinPort: sidecarMinPort,
|
|
ConnectSidecarMaxPort: sidecarMaxPort,
|
|
ConnectTestCALeafRootChangeSpread: b.durationVal("connect.test_ca_leaf_root_change_spread", c.Connect.TestCALeafRootChangeSpread),
|
|
ExposeMinPort: exposeMinPort,
|
|
ExposeMaxPort: exposeMaxPort,
|
|
DataDir: dataDir,
|
|
Datacenter: datacenter,
|
|
DefaultQueryTime: b.durationVal("default_query_time", c.DefaultQueryTime),
|
|
DevMode: boolVal(b.opts.DevMode),
|
|
DisableAnonymousSignature: boolVal(c.DisableAnonymousSignature),
|
|
DisableCoordinates: boolVal(c.DisableCoordinates),
|
|
DisableHostNodeID: boolVal(c.DisableHostNodeID),
|
|
DisableHTTPUnprintableCharFilter: boolVal(c.DisableHTTPUnprintableCharFilter),
|
|
DisableKeyringFile: boolVal(c.DisableKeyringFile),
|
|
DisableRemoteExec: boolVal(c.DisableRemoteExec),
|
|
DisableUpdateCheck: boolVal(c.DisableUpdateCheck),
|
|
DiscardCheckOutput: boolVal(c.DiscardCheckOutput),
|
|
|
|
DiscoveryMaxStale: b.durationVal("discovery_max_stale", c.DiscoveryMaxStale),
|
|
EnableAgentTLSForChecks: boolVal(c.EnableAgentTLSForChecks),
|
|
EnableCentralServiceConfig: boolVal(c.EnableCentralServiceConfig),
|
|
EnableDebug: boolVal(c.EnableDebug),
|
|
EnableRemoteScriptChecks: enableRemoteScriptChecks,
|
|
EnableLocalScriptChecks: enableLocalScriptChecks,
|
|
EncryptKey: stringVal(c.EncryptKey),
|
|
GRPCAddrs: grpcAddrs,
|
|
GRPCPort: grpcPort,
|
|
GRPCTLSAddrs: grpcTlsAddrs,
|
|
GRPCTLSPort: grpcTlsPort,
|
|
HTTPMaxConnsPerClient: intVal(c.Limits.HTTPMaxConnsPerClient),
|
|
HTTPSHandshakeTimeout: b.durationVal("limits.https_handshake_timeout", c.Limits.HTTPSHandshakeTimeout),
|
|
KVMaxValueSize: uint64Val(c.Limits.KVMaxValueSize),
|
|
LeaveDrainTime: b.durationVal("performance.leave_drain_time", c.Performance.LeaveDrainTime),
|
|
LeaveOnTerm: leaveOnTerm,
|
|
StaticRuntimeConfig: StaticRuntimeConfig{
|
|
EncryptVerifyIncoming: boolVal(c.EncryptVerifyIncoming),
|
|
EncryptVerifyOutgoing: boolVal(c.EncryptVerifyOutgoing),
|
|
},
|
|
|
|
Logging: logging.Config{
|
|
LogLevel: stringVal(c.LogLevel),
|
|
LogJSON: boolVal(c.LogJSON),
|
|
LogFilePath: stringVal(c.LogFile),
|
|
EnableSyslog: boolVal(c.EnableSyslog),
|
|
SyslogFacility: stringVal(c.SyslogFacility),
|
|
LogRotateDuration: b.durationVal("log_rotate_duration", c.LogRotateDuration),
|
|
LogRotateBytes: intVal(c.LogRotateBytes),
|
|
LogRotateMaxFiles: intVal(c.LogRotateMaxFiles),
|
|
},
|
|
MaxQueryTime: b.durationVal("max_query_time", c.MaxQueryTime),
|
|
NodeID: types.NodeID(stringVal(c.NodeID)),
|
|
NodeMeta: c.NodeMeta,
|
|
NodeName: b.nodeName(c.NodeName),
|
|
ReadReplica: boolVal(c.ReadReplica),
|
|
PeeringEnabled: boolVal(c.Peering.Enabled),
|
|
PeeringTestAllowPeerRegistrations: boolValWithDefault(c.Peering.TestAllowPeerRegistrations, false),
|
|
PidFile: stringVal(c.PidFile),
|
|
PrimaryDatacenter: primaryDatacenter,
|
|
PrimaryGateways: b.expandAllOptionalAddrs("primary_gateways", c.PrimaryGateways),
|
|
PrimaryGatewaysInterval: b.durationVal("primary_gateways_interval", c.PrimaryGatewaysInterval),
|
|
RPCAdvertiseAddr: rpcAdvertiseAddr,
|
|
RPCBindAddr: rpcBindAddr,
|
|
RPCHandshakeTimeout: b.durationVal("limits.rpc_handshake_timeout", c.Limits.RPCHandshakeTimeout),
|
|
RPCHoldTimeout: b.durationVal("performance.rpc_hold_timeout", c.Performance.RPCHoldTimeout),
|
|
RPCClientTimeout: b.durationVal("limits.rpc_client_timeout", c.Limits.RPCClientTimeout),
|
|
RPCMaxBurst: intVal(c.Limits.RPCMaxBurst),
|
|
RPCMaxConnsPerClient: intVal(c.Limits.RPCMaxConnsPerClient),
|
|
RPCProtocol: intVal(c.RPCProtocol),
|
|
RPCRateLimit: limitVal(c.Limits.RPCRate),
|
|
RPCConfig: consul.RPCConfig{EnableStreaming: boolValWithDefault(c.RPC.EnableStreaming, serverMode)},
|
|
RaftProtocol: intVal(c.RaftProtocol),
|
|
RaftSnapshotThreshold: intVal(c.RaftSnapshotThreshold),
|
|
RaftSnapshotInterval: b.durationVal("raft_snapshot_interval", c.RaftSnapshotInterval),
|
|
RaftTrailingLogs: intVal(c.RaftTrailingLogs),
|
|
RaftLogStoreConfig: b.raftLogStoreConfigVal(&c.RaftLogStore),
|
|
ReconnectTimeoutLAN: b.durationVal("reconnect_timeout", c.ReconnectTimeoutLAN),
|
|
ReconnectTimeoutWAN: b.durationVal("reconnect_timeout_wan", c.ReconnectTimeoutWAN),
|
|
RejoinAfterLeave: boolVal(c.RejoinAfterLeave),
|
|
RequestLimitsMode: b.requestsLimitsModeVal(stringVal(c.Limits.RequestLimits.Mode)),
|
|
RequestLimitsReadRate: limitVal(c.Limits.RequestLimits.ReadRate),
|
|
RequestLimitsWriteRate: limitVal(c.Limits.RequestLimits.WriteRate),
|
|
RetryJoinIntervalLAN: b.durationVal("retry_interval", c.RetryJoinIntervalLAN),
|
|
RetryJoinIntervalWAN: b.durationVal("retry_interval_wan", c.RetryJoinIntervalWAN),
|
|
RetryJoinLAN: b.expandAllOptionalAddrs("retry_join", c.RetryJoinLAN),
|
|
RetryJoinMaxAttemptsLAN: intVal(c.RetryJoinMaxAttemptsLAN),
|
|
RetryJoinMaxAttemptsWAN: intVal(c.RetryJoinMaxAttemptsWAN),
|
|
RetryJoinWAN: b.expandAllOptionalAddrs("retry_join_wan", c.RetryJoinWAN),
|
|
SegmentName: stringVal(c.SegmentName),
|
|
Segments: segments,
|
|
SegmentLimit: intVal(c.SegmentLimit),
|
|
SerfAdvertiseAddrLAN: serfAdvertiseAddrLAN,
|
|
SerfAdvertiseAddrWAN: serfAdvertiseAddrWAN,
|
|
SerfAllowedCIDRsLAN: serfAllowedCIDRSLAN,
|
|
SerfAllowedCIDRsWAN: serfAllowedCIDRSWAN,
|
|
SerfBindAddrLAN: serfBindAddrLAN,
|
|
SerfBindAddrWAN: serfBindAddrWAN,
|
|
SerfPortLAN: serfPortLAN,
|
|
SerfPortWAN: serfPortWAN,
|
|
ServerMode: serverMode,
|
|
ServerName: stringVal(c.ServerName),
|
|
ServerPort: serverPort,
|
|
Services: services,
|
|
SessionTTLMin: b.durationVal("session_ttl_min", c.SessionTTLMin),
|
|
SkipLeaveOnInt: skipLeaveOnInt,
|
|
TaggedAddresses: c.TaggedAddresses,
|
|
TranslateWANAddrs: boolVal(c.TranslateWANAddrs),
|
|
TxnMaxReqLen: uint64Val(c.Limits.TxnMaxReqLen),
|
|
UIConfig: b.uiConfigVal(c.UIConfig),
|
|
UnixSocketGroup: stringVal(c.UnixSocket.Group),
|
|
UnixSocketMode: stringVal(c.UnixSocket.Mode),
|
|
UnixSocketUser: stringVal(c.UnixSocket.User),
|
|
Watches: c.Watches,
|
|
XDSUpdateRateLimit: limitVal(c.XDS.UpdateMaxPerSecond),
|
|
AutoReloadConfigCoalesceInterval: 1 * time.Second,
|
|
LocalProxyConfigResyncInterval: 30 * time.Second,
|
|
}
|
|
|
|
rt.TLS, err = b.buildTLSConfig(rt, c.TLS)
|
|
if err != nil {
|
|
return RuntimeConfig{}, err
|
|
}
|
|
|
|
// `ports.grpc` previously supported TLS, but this was changed for Consul 1.14.
|
|
// This check is done to warn users that a config change is mandatory.
|
|
if rt.TLS.GRPC.CertFile != "" || (rt.TLS.AutoTLS && rt.TLS.GRPC.UseAutoCert) {
|
|
// If only `ports.grpc` is enabled, and the gRPC TLS port is not explicitly defined by the user,
|
|
// check the grpc TLS settings for incompatibilities.
|
|
if rt.GRPCPort > 0 && c.Ports.GRPCTLS == nil {
|
|
return RuntimeConfig{}, fmt.Errorf("the `ports.grpc` listener no longer supports TLS. Use `ports.grpc_tls` instead. This message is appearing because GRPC is configured to use TLS, but `ports.grpc_tls` is not defined")
|
|
}
|
|
}
|
|
|
|
rt.UseStreamingBackend = boolValWithDefault(c.UseStreamingBackend, true)
|
|
|
|
if rt.Cache.EntryFetchMaxBurst <= 0 {
|
|
return RuntimeConfig{}, fmt.Errorf("cache.entry_fetch_max_burst must be strictly positive, was: %v", rt.Cache.EntryFetchMaxBurst)
|
|
}
|
|
if rt.Cache.EntryFetchRate <= 0 {
|
|
return RuntimeConfig{}, fmt.Errorf("cache.entry_fetch_rate must be strictly positive, was: %v", rt.Cache.EntryFetchRate)
|
|
}
|
|
|
|
if rt.UIConfig.MetricsProvider == "prometheus" {
|
|
// Handle defaulting for the built-in version of prometheus.
|
|
if len(rt.UIConfig.MetricsProxy.PathAllowlist) == 0 {
|
|
rt.UIConfig.MetricsProxy.PathAllowlist = []string{
|
|
"/api/v1/query",
|
|
"/api/v1/query_range",
|
|
}
|
|
}
|
|
}
|
|
|
|
if err := b.BuildEnterpriseRuntimeConfig(&rt, &c); err != nil {
|
|
return rt, err
|
|
}
|
|
|
|
if rt.BootstrapExpect == 1 {
|
|
rt.Bootstrap = true
|
|
rt.BootstrapExpect = 0
|
|
b.warn(`BootstrapExpect is set to 1; this is the same as Bootstrap mode.`)
|
|
}
|
|
|
|
return rt, nil
|
|
}
|
|
|
|
func advertiseAddrFunc(opts LoadOpts, advertiseAddr *net.IPAddr) (string, func() ([]*net.IPAddr, error)) {
|
|
switch {
|
|
case ipaddr.IsAnyV4(advertiseAddr):
|
|
fn := opts.getPrivateIPv4
|
|
if fn == nil {
|
|
fn = ipaddr.GetPrivateIPv4
|
|
}
|
|
return "private IPv4", fn
|
|
|
|
case ipaddr.IsAnyV6(advertiseAddr):
|
|
fn := opts.getPublicIPv6
|
|
if fn == nil {
|
|
fn = ipaddr.GetPublicIPv6
|
|
}
|
|
return "public IPv6", fn
|
|
|
|
default:
|
|
panic("unsupported net.IPAddr Type")
|
|
}
|
|
}
|
|
|
|
// reBasicName validates that a field contains only lower case alphanumerics,
|
|
// underscore and dash and is non-empty.
|
|
var reBasicName = regexp.MustCompile("^[a-z0-9_-]+$")
|
|
|
|
func validateBasicName(field, value string, allowEmpty bool) error {
|
|
if value == "" {
|
|
if allowEmpty {
|
|
return nil
|
|
}
|
|
return fmt.Errorf("%s cannot be empty", field)
|
|
}
|
|
if !reBasicName.MatchString(value) {
|
|
return fmt.Errorf("%s can only contain lowercase alphanumeric, - or _ characters."+
|
|
" received: %q", field, value)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// validate performs semantic validation of the runtime configuration.
|
|
func (b *builder) validate(rt RuntimeConfig) error {
|
|
// validContentPath defines a regexp for a valid content path name.
|
|
validContentPath := regexp.MustCompile(`^[A-Za-z0-9/_-]+$`)
|
|
hasVersion := regexp.MustCompile(`^/v\d+/$`)
|
|
// ----------------------------------------------------------------
|
|
// check required params we cannot recover from first
|
|
//
|
|
|
|
if rt.RaftProtocol != 3 {
|
|
return fmt.Errorf("raft_protocol version %d is not supported by this version of Consul", rt.RaftProtocol)
|
|
}
|
|
|
|
if err := validateBasicName("datacenter", rt.Datacenter, false); err != nil {
|
|
return err
|
|
}
|
|
if rt.DataDir == "" && !rt.DevMode {
|
|
return fmt.Errorf("data_dir cannot be empty")
|
|
}
|
|
|
|
if !validContentPath.MatchString(rt.UIConfig.ContentPath) {
|
|
return fmt.Errorf("ui-content-path can only contain alphanumeric, -, _, or /. received: %q", rt.UIConfig.ContentPath)
|
|
}
|
|
|
|
if hasVersion.MatchString(rt.UIConfig.ContentPath) {
|
|
return fmt.Errorf("ui-content-path cannot have 'v[0-9]'. received: %q", rt.UIConfig.ContentPath)
|
|
}
|
|
|
|
if err := validateBasicName("ui_config.metrics_provider", rt.UIConfig.MetricsProvider, true); err != nil {
|
|
return err
|
|
}
|
|
if rt.UIConfig.MetricsProviderOptionsJSON != "" {
|
|
// Attempt to parse the JSON to ensure it's valid, parsing into a map
|
|
// ensures we get an object.
|
|
var dummyMap map[string]interface{}
|
|
err := json.Unmarshal([]byte(rt.UIConfig.MetricsProviderOptionsJSON), &dummyMap)
|
|
if err != nil {
|
|
return fmt.Errorf("ui_config.metrics_provider_options_json must be empty "+
|
|
"or a string containing a valid JSON object. received: %q",
|
|
rt.UIConfig.MetricsProviderOptionsJSON)
|
|
}
|
|
}
|
|
if rt.UIConfig.MetricsProxy.BaseURL != "" {
|
|
u, err := url.Parse(rt.UIConfig.MetricsProxy.BaseURL)
|
|
if err != nil || !(u.Scheme == "http" || u.Scheme == "https") {
|
|
return fmt.Errorf("ui_config.metrics_proxy.base_url must be a valid http"+
|
|
" or https URL. received: %q",
|
|
rt.UIConfig.MetricsProxy.BaseURL)
|
|
}
|
|
}
|
|
for _, allowedPath := range rt.UIConfig.MetricsProxy.PathAllowlist {
|
|
if err := validateAbsoluteURLPath(allowedPath); err != nil {
|
|
return fmt.Errorf("ui_config.metrics_proxy.path_allowlist: %v", err)
|
|
}
|
|
}
|
|
for k, v := range rt.UIConfig.DashboardURLTemplates {
|
|
if err := validateBasicName("ui_config.dashboard_url_templates key names", k, false); err != nil {
|
|
return err
|
|
}
|
|
u, err := url.Parse(v)
|
|
if err != nil || !(u.Scheme == "http" || u.Scheme == "https") {
|
|
return fmt.Errorf("ui_config.dashboard_url_templates values must be a"+
|
|
" valid http or https URL. received: %q",
|
|
rt.UIConfig.MetricsProxy.BaseURL)
|
|
}
|
|
}
|
|
|
|
if !rt.DevMode {
|
|
fi, err := os.Stat(rt.DataDir)
|
|
switch {
|
|
case err != nil && !os.IsNotExist(err):
|
|
return fmt.Errorf("Error getting info on data_dir: %s", err)
|
|
case err == nil && !fi.IsDir():
|
|
return fmt.Errorf("data_dir %q is not a directory", rt.DataDir)
|
|
}
|
|
}
|
|
|
|
switch {
|
|
case rt.NodeName == "":
|
|
return fmt.Errorf("node_name cannot be empty")
|
|
case dns.InvalidNameRe.MatchString(rt.NodeName):
|
|
b.warn("Node name %q will not be discoverable "+
|
|
"via DNS due to invalid characters. Valid characters include "+
|
|
"all alpha-numerics and dashes.", rt.NodeName)
|
|
case consul.InvalidNodeName.MatchString(rt.NodeName):
|
|
// todo(kyhavlov): Add stronger validation here for node names.
|
|
b.warn("Found invalid characters in node name %q - whitespace and quotes "+
|
|
"(', \", `) cannot be used with auto-config.", rt.NodeName)
|
|
case len(rt.NodeName) > dns.MaxLabelLength:
|
|
b.warn("Node name %q will not be discoverable "+
|
|
"via DNS due to it being too long. Valid lengths are between "+
|
|
"1 and 63 bytes.", rt.NodeName)
|
|
}
|
|
|
|
if ipaddr.IsAny(rt.AdvertiseAddrLAN.IP) {
|
|
return fmt.Errorf("Advertise address cannot be 0.0.0.0, :: or [::]")
|
|
}
|
|
if ipaddr.IsAny(rt.AdvertiseAddrWAN.IP) {
|
|
return fmt.Errorf("Advertise WAN address cannot be 0.0.0.0, :: or [::]")
|
|
}
|
|
if err := b.validateSegments(rt); err != nil {
|
|
return err
|
|
}
|
|
for _, a := range rt.DNSAddrs {
|
|
if _, ok := a.(*net.UnixAddr); ok {
|
|
return fmt.Errorf("DNS address cannot be a unix socket")
|
|
}
|
|
}
|
|
for _, a := range rt.DNSRecursors {
|
|
if ipaddr.IsAny(a) {
|
|
return fmt.Errorf("DNS recursor address cannot be 0.0.0.0, :: or [::]")
|
|
}
|
|
}
|
|
if !isValidAltDomain(rt.DNSAltDomain, rt.Datacenter) {
|
|
return fmt.Errorf("alt_domain cannot start with {service,connect,node,query,addr,%s}", rt.Datacenter)
|
|
}
|
|
if rt.Bootstrap && !rt.ServerMode {
|
|
return fmt.Errorf("'bootstrap = true' requires 'server = true'")
|
|
}
|
|
if rt.BootstrapExpect < 0 {
|
|
return fmt.Errorf("bootstrap_expect cannot be %d. Must be greater than or equal to zero", rt.BootstrapExpect)
|
|
}
|
|
if rt.BootstrapExpect > 0 && !rt.ServerMode {
|
|
return fmt.Errorf("'bootstrap_expect > 0' requires 'server = true'")
|
|
}
|
|
if rt.BootstrapExpect > 0 && rt.DevMode {
|
|
return fmt.Errorf("'bootstrap_expect > 0' not allowed in dev mode")
|
|
}
|
|
if rt.BootstrapExpect > 0 && rt.Bootstrap {
|
|
return fmt.Errorf("'bootstrap_expect > 0' and 'bootstrap = true' are mutually exclusive")
|
|
}
|
|
if rt.CheckOutputMaxSize < 1 {
|
|
return fmt.Errorf("check_output_max_size must be positive, to discard check output use the discard_check_output flag")
|
|
}
|
|
if rt.AEInterval <= 0 {
|
|
return fmt.Errorf("ae_interval cannot be %s. Must be positive", rt.AEInterval)
|
|
}
|
|
if rt.AutopilotMaxTrailingLogs < 0 {
|
|
return fmt.Errorf("autopilot.max_trailing_logs cannot be %d. Must be greater than or equal to zero", rt.AutopilotMaxTrailingLogs)
|
|
}
|
|
if err := validateBasicName("primary_datacenter", rt.PrimaryDatacenter, true); err != nil {
|
|
return err
|
|
}
|
|
// In DevMode, UI is enabled by default, so to enable rt.UIDir, don't perform this check
|
|
if !rt.DevMode && rt.UIConfig.Enabled && rt.UIConfig.Dir != "" {
|
|
return fmt.Errorf(
|
|
"Both the ui_config.enabled and ui_config.dir (or -ui and -ui-dir) were specified, please provide only one.\n" +
|
|
"If trying to use your own web UI resources, use ui_config.dir or the -ui-dir flag.\n" +
|
|
"The web UI is included in the binary so use ui_config.enabled or the -ui flag to enable it")
|
|
}
|
|
if rt.DNSUDPAnswerLimit < 0 {
|
|
return fmt.Errorf("dns_config.udp_answer_limit cannot be %d. Must be greater than or equal to zero", rt.DNSUDPAnswerLimit)
|
|
}
|
|
if rt.DNSARecordLimit < 0 {
|
|
return fmt.Errorf("dns_config.a_record_limit cannot be %d. Must be greater than or equal to zero", rt.DNSARecordLimit)
|
|
}
|
|
if err := structs.ValidateNodeMetadata(rt.NodeMeta, false); err != nil {
|
|
return fmt.Errorf("node_meta invalid: %v", err)
|
|
}
|
|
if rt.EncryptKey != "" {
|
|
if _, err := decodeBytes(rt.EncryptKey); err != nil {
|
|
return fmt.Errorf("encrypt has invalid key: %s", err)
|
|
}
|
|
}
|
|
|
|
if rt.ConnectMeshGatewayWANFederationEnabled && !rt.ServerMode {
|
|
return fmt.Errorf("'connect.enable_mesh_gateway_wan_federation = true' requires 'server = true'")
|
|
}
|
|
if rt.ConnectMeshGatewayWANFederationEnabled && strings.ContainsAny(rt.NodeName, "/") {
|
|
return fmt.Errorf("'connect.enable_mesh_gateway_wan_federation = true' requires that 'node_name' not contain '/' characters")
|
|
}
|
|
if rt.ConnectMeshGatewayWANFederationEnabled {
|
|
if len(rt.RetryJoinWAN) > 0 {
|
|
return fmt.Errorf("'retry_join_wan' is incompatible with 'connect.enable_mesh_gateway_wan_federation = true'")
|
|
}
|
|
}
|
|
if len(rt.PrimaryGateways) > 0 {
|
|
if !rt.ServerMode {
|
|
return fmt.Errorf("'primary_gateways' requires 'server = true'")
|
|
}
|
|
if rt.PrimaryDatacenter == rt.Datacenter {
|
|
return fmt.Errorf("'primary_gateways' should only be configured in a secondary datacenter")
|
|
}
|
|
}
|
|
|
|
// Check the data dir for signs of an un-migrated Consul 0.5.x or older
|
|
// server. Consul refuses to start if this is present to protect a server
|
|
// with existing data from starting on a fresh data set.
|
|
if rt.ServerMode {
|
|
mdbPath := filepath.Join(rt.DataDir, "mdb")
|
|
if _, err := os.Stat(mdbPath); !os.IsNotExist(err) {
|
|
if os.IsPermission(err) {
|
|
return fmt.Errorf(
|
|
"CRITICAL: Permission denied for data folder at %q!\n"+
|
|
"Consul will refuse to boot without access to this directory.\n"+
|
|
"Please correct permissions and try starting again.", mdbPath)
|
|
}
|
|
return fmt.Errorf("CRITICAL: Deprecated data folder found at %q!\n"+
|
|
"Consul will refuse to boot with this directory present.\n"+
|
|
"See https://www.consul.io/docs/upgrade-specific.html for more information.", mdbPath)
|
|
}
|
|
|
|
// Raft LogStore validation
|
|
if rt.RaftLogStoreConfig.Backend != consul.LogStoreBackendBoltDB &&
|
|
rt.RaftLogStoreConfig.Backend != consul.LogStoreBackendWAL {
|
|
return fmt.Errorf("raft_logstore.backend must be one of '%s' or '%s'",
|
|
consul.LogStoreBackendBoltDB, consul.LogStoreBackendWAL)
|
|
}
|
|
if rt.RaftLogStoreConfig.WAL.SegmentSize < 1024*1024 {
|
|
return fmt.Errorf("raft_logstore.wal.segment_size_mb cannot be less than 1MB")
|
|
}
|
|
if rt.RaftLogStoreConfig.WAL.SegmentSize > 1024*1024*1024 {
|
|
return fmt.Errorf("raft_logstore.wal.segment_size_mb cannot be greater than 1024 (1GiB)")
|
|
}
|
|
}
|
|
|
|
inuse := map[string]string{}
|
|
if err := addrsUnique(inuse, "DNS", rt.DNSAddrs); err != nil {
|
|
// cannot happen since this is the first address
|
|
// we leave this for consistency
|
|
return err
|
|
}
|
|
if err := addrsUnique(inuse, "HTTP", rt.HTTPAddrs); err != nil {
|
|
return err
|
|
}
|
|
if err := addrsUnique(inuse, "HTTPS", rt.HTTPSAddrs); err != nil {
|
|
return err
|
|
}
|
|
if err := addrUnique(inuse, "RPC Advertise", rt.RPCAdvertiseAddr); err != nil {
|
|
return err
|
|
}
|
|
if err := addrUnique(inuse, "Serf Advertise LAN", rt.SerfAdvertiseAddrLAN); err != nil {
|
|
return err
|
|
}
|
|
// Validate serf WAN advertise address only when its set
|
|
if rt.SerfAdvertiseAddrWAN != nil {
|
|
if err := addrUnique(inuse, "Serf Advertise WAN", rt.SerfAdvertiseAddrWAN); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if b.err != nil {
|
|
return b.err
|
|
}
|
|
|
|
// Check for errors in the service definitions
|
|
for _, s := range rt.Services {
|
|
if err := s.Validate(); err != nil {
|
|
return fmt.Errorf("service %q: %s", s.Name, err)
|
|
}
|
|
}
|
|
// Check for errors in the node check definitions
|
|
for _, c := range rt.Checks {
|
|
if err := c.CheckType().Validate(); err != nil {
|
|
return fmt.Errorf("check %q: %w", c.Name, err)
|
|
}
|
|
}
|
|
|
|
// Validate the given Connect CA provider config
|
|
validCAProviders := map[string]bool{
|
|
"": true,
|
|
structs.ConsulCAProvider: true,
|
|
structs.VaultCAProvider: true,
|
|
structs.AWSCAProvider: true,
|
|
}
|
|
if _, ok := validCAProviders[rt.ConnectCAProvider]; !ok {
|
|
return fmt.Errorf("%s is not a valid CA provider", rt.ConnectCAProvider)
|
|
} else {
|
|
switch rt.ConnectCAProvider {
|
|
case structs.ConsulCAProvider:
|
|
if _, err := ca.ParseConsulCAConfig(rt.ConnectCAConfig); err != nil {
|
|
return err
|
|
}
|
|
case structs.VaultCAProvider:
|
|
if _, err := ca.ParseVaultCAConfig(rt.ConnectCAConfig); err != nil {
|
|
return err
|
|
}
|
|
case structs.AWSCAProvider:
|
|
if _, err := ca.ParseAWSCAConfig(rt.ConnectCAConfig); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
if rt.ServerMode && rt.AutoEncryptTLS {
|
|
return fmt.Errorf("auto_encrypt.tls can only be used on a client.")
|
|
}
|
|
if !rt.ServerMode && rt.AutoEncryptAllowTLS {
|
|
return fmt.Errorf("auto_encrypt.allow_tls can only be used on a server.")
|
|
}
|
|
|
|
if rt.ServerMode && rt.AdvertiseReconnectTimeout != 0 {
|
|
return fmt.Errorf("advertise_reconnect_timeout can only be used on a client")
|
|
}
|
|
|
|
// ----------------------------------------------------------------
|
|
// warnings
|
|
//
|
|
|
|
if rt.ServerMode && !rt.DevMode && !rt.Bootstrap && rt.BootstrapExpect == 2 {
|
|
b.warn(`bootstrap_expect = 2: A cluster with 2 servers will provide no failure tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`)
|
|
}
|
|
|
|
if rt.ServerMode && !rt.Bootstrap && rt.BootstrapExpect > 2 && rt.BootstrapExpect%2 == 0 {
|
|
b.warn(`bootstrap_expect is even number: A cluster with an even number of servers does not achieve optimum fault tolerance. See https://www.consul.io/docs/internals/consensus.html#deployment-table`)
|
|
}
|
|
|
|
if rt.ServerMode && rt.Bootstrap && rt.BootstrapExpect == 0 {
|
|
b.warn(`bootstrap = true: do not enable unless necessary`)
|
|
}
|
|
|
|
if rt.ServerMode && !rt.DevMode && !rt.Bootstrap && rt.BootstrapExpect > 1 {
|
|
b.warn("bootstrap_expect > 0: expecting %d servers", rt.BootstrapExpect)
|
|
}
|
|
|
|
if rt.ServerMode {
|
|
if rt.UseStreamingBackend && !rt.RPCConfig.EnableStreaming {
|
|
b.warn("use_streaming_backend = true requires rpc.enable_streaming on servers to work properly")
|
|
}
|
|
} else if rt.RPCConfig.EnableStreaming {
|
|
b.warn("rpc.enable_streaming = true has no effect when not running in server mode")
|
|
}
|
|
|
|
if rt.AutoEncryptAllowTLS && !rt.TLS.InternalRPC.VerifyIncoming {
|
|
b.warn("if auto_encrypt.allow_tls is turned on, tls.internal_rpc.verify_incoming should be enabled (either explicitly or via tls.defaults.verify_incoming). It is necessary to turn it off during a migration to TLS, but it should definitely be turned on afterwards.")
|
|
}
|
|
|
|
if err := checkLimitsFromMaxConnsPerClient(rt.HTTPMaxConnsPerClient); err != nil {
|
|
return err
|
|
}
|
|
|
|
if rt.AutoConfig.Enabled && rt.AutoEncryptTLS {
|
|
return fmt.Errorf("both auto_encrypt.tls and auto_config.enabled cannot be set to true.")
|
|
}
|
|
|
|
if err := b.validateAutoConfig(rt); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := validateRemoteScriptsChecks(rt); err != nil {
|
|
// TODO: make this an error in a future version
|
|
b.warn(err.Error())
|
|
}
|
|
|
|
err := b.validateEnterpriseConfig(rt)
|
|
return err
|
|
}
|
|
|
|
// addrUnique checks if the given address is already in use for another
|
|
// protocol.
|
|
func addrUnique(inuse map[string]string, name string, addr net.Addr) error {
|
|
key := addr.Network() + ":" + addr.String()
|
|
if other, ok := inuse[key]; ok {
|
|
return fmt.Errorf("%s address %s already configured for %s", name, addr.String(), other)
|
|
}
|
|
inuse[key] = name
|
|
return nil
|
|
}
|
|
|
|
// addrsUnique checks if any of the give addresses is already in use for
|
|
// another protocol.
|
|
func addrsUnique(inuse map[string]string, name string, addrs []net.Addr) error {
|
|
for _, a := range addrs {
|
|
if err := addrUnique(inuse, name, a); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// splitSlicesAndValues moves all slice values defined in c to 'slices'
|
|
// and all other values to 'values'.
|
|
func splitSlicesAndValues(c Config) (slices, values Config) {
|
|
v, t := reflect.ValueOf(c), reflect.TypeOf(c)
|
|
rs, rv := reflect.New(t), reflect.New(t)
|
|
|
|
for i := 0; i < t.NumField(); i++ {
|
|
f := t.Field(i)
|
|
if f.Type.Kind() == reflect.Slice {
|
|
rs.Elem().Field(i).Set(v.Field(i))
|
|
} else {
|
|
rv.Elem().Field(i).Set(v.Field(i))
|
|
}
|
|
}
|
|
return rs.Elem().Interface().(Config), rv.Elem().Interface().(Config)
|
|
}
|
|
|
|
func (b *builder) warn(msg string, args ...interface{}) {
|
|
b.Warnings = append(b.Warnings, fmt.Sprintf(msg, args...))
|
|
}
|
|
|
|
func (b *builder) checkVal(v *CheckDefinition) *structs.CheckDefinition {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
var H2PingUseTLSVal bool
|
|
if stringVal(v.H2PING) != "" {
|
|
H2PingUseTLSVal = boolValWithDefault(v.H2PingUseTLS, true)
|
|
} else {
|
|
H2PingUseTLSVal = boolVal(v.H2PingUseTLS)
|
|
}
|
|
|
|
id := types.CheckID(stringVal(v.ID))
|
|
|
|
return &structs.CheckDefinition{
|
|
ID: id,
|
|
Name: stringVal(v.Name),
|
|
Notes: stringVal(v.Notes),
|
|
ServiceID: stringVal(v.ServiceID),
|
|
Token: stringVal(v.Token),
|
|
Status: stringVal(v.Status),
|
|
ScriptArgs: v.ScriptArgs,
|
|
HTTP: stringVal(v.HTTP),
|
|
Header: v.Header,
|
|
Method: stringVal(v.Method),
|
|
Body: stringVal(v.Body),
|
|
DisableRedirects: boolVal(v.DisableRedirects),
|
|
TCP: stringVal(v.TCP),
|
|
UDP: stringVal(v.UDP),
|
|
Interval: b.durationVal(fmt.Sprintf("check[%s].interval", id), v.Interval),
|
|
DockerContainerID: stringVal(v.DockerContainerID),
|
|
Shell: stringVal(v.Shell),
|
|
GRPC: stringVal(v.GRPC),
|
|
GRPCUseTLS: boolVal(v.GRPCUseTLS),
|
|
TLSServerName: stringVal(v.TLSServerName),
|
|
TLSSkipVerify: boolVal(v.TLSSkipVerify),
|
|
AliasNode: stringVal(v.AliasNode),
|
|
AliasService: stringVal(v.AliasService),
|
|
Timeout: b.durationVal(fmt.Sprintf("check[%s].timeout", id), v.Timeout),
|
|
TTL: b.durationVal(fmt.Sprintf("check[%s].ttl", id), v.TTL),
|
|
SuccessBeforePassing: intVal(v.SuccessBeforePassing),
|
|
FailuresBeforeCritical: intVal(v.FailuresBeforeCritical),
|
|
FailuresBeforeWarning: intValWithDefault(v.FailuresBeforeWarning, intVal(v.FailuresBeforeCritical)),
|
|
H2PING: stringVal(v.H2PING),
|
|
H2PingUseTLS: H2PingUseTLSVal,
|
|
OSService: stringVal(v.OSService),
|
|
DeregisterCriticalServiceAfter: b.durationVal(fmt.Sprintf("check[%s].deregister_critical_service_after", id), v.DeregisterCriticalServiceAfter),
|
|
OutputMaxSize: intValWithDefault(v.OutputMaxSize, checks.DefaultBufSize),
|
|
EnterpriseMeta: v.EnterpriseMeta.ToStructs(),
|
|
}
|
|
}
|
|
|
|
func (b *builder) svcTaggedAddresses(v map[string]ServiceAddress) map[string]structs.ServiceAddress {
|
|
if len(v) <= 0 {
|
|
return nil
|
|
}
|
|
|
|
svcAddrs := make(map[string]structs.ServiceAddress)
|
|
for addrName, addrConf := range v {
|
|
addr := structs.ServiceAddress{}
|
|
if addrConf.Address != nil {
|
|
addr.Address = *addrConf.Address
|
|
}
|
|
if addrConf.Port != nil {
|
|
addr.Port = *addrConf.Port
|
|
}
|
|
|
|
svcAddrs[addrName] = addr
|
|
}
|
|
return svcAddrs
|
|
}
|
|
|
|
func (b *builder) serviceVal(v *ServiceDefinition) *structs.ServiceDefinition {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
var checks structs.CheckTypes
|
|
for _, check := range v.Checks {
|
|
checks = append(checks, b.checkVal(&check).CheckType())
|
|
}
|
|
if v.Check != nil {
|
|
checks = append(checks, b.checkVal(v.Check).CheckType())
|
|
}
|
|
|
|
kind := b.serviceKindVal(v.Kind)
|
|
|
|
meta := make(map[string]string)
|
|
if err := structs.ValidateServiceMetadata(kind, v.Meta, false); err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("invalid meta for service %s: %v", stringVal(v.Name), err))
|
|
} else {
|
|
meta = v.Meta
|
|
}
|
|
serviceWeights := &structs.Weights{Passing: 1, Warning: 1}
|
|
if v.Weights != nil {
|
|
if v.Weights.Passing != nil {
|
|
serviceWeights.Passing = *v.Weights.Passing
|
|
}
|
|
if v.Weights.Warning != nil {
|
|
serviceWeights.Warning = *v.Weights.Warning
|
|
}
|
|
}
|
|
|
|
if err := structs.ValidateWeights(serviceWeights); err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("Invalid weight definition for service %s: %s", stringVal(v.Name), err))
|
|
}
|
|
|
|
if (v.Port != nil || v.Address != nil) && (v.SocketPath != nil) {
|
|
b.err = multierror.Append(b.err,
|
|
fmt.Errorf("service %s cannot have both socket path %s and address/port",
|
|
stringVal(v.Name), stringVal(v.SocketPath)))
|
|
}
|
|
|
|
return &structs.ServiceDefinition{
|
|
Kind: kind,
|
|
ID: stringVal(v.ID),
|
|
Name: stringVal(v.Name),
|
|
Tags: v.Tags,
|
|
Address: stringVal(v.Address),
|
|
TaggedAddresses: b.svcTaggedAddresses(v.TaggedAddresses),
|
|
Meta: meta,
|
|
Port: intVal(v.Port),
|
|
SocketPath: stringVal(v.SocketPath),
|
|
Token: stringVal(v.Token),
|
|
EnableTagOverride: boolVal(v.EnableTagOverride),
|
|
Weights: serviceWeights,
|
|
Checks: checks,
|
|
Proxy: b.serviceProxyVal(v.Proxy),
|
|
Connect: b.serviceConnectVal(v.Connect),
|
|
EnterpriseMeta: v.EnterpriseMeta.ToStructs(),
|
|
}
|
|
}
|
|
|
|
func (b *builder) serviceKindVal(v *string) structs.ServiceKind {
|
|
if v == nil {
|
|
return structs.ServiceKindTypical
|
|
}
|
|
switch *v {
|
|
case string(structs.ServiceKindConnectProxy):
|
|
return structs.ServiceKindConnectProxy
|
|
case string(structs.ServiceKindMeshGateway):
|
|
return structs.ServiceKindMeshGateway
|
|
case string(structs.ServiceKindTerminatingGateway):
|
|
return structs.ServiceKindTerminatingGateway
|
|
case string(structs.ServiceKindIngressGateway):
|
|
return structs.ServiceKindIngressGateway
|
|
case string(structs.ServiceKindAPIGateway):
|
|
return structs.ServiceKindAPIGateway
|
|
default:
|
|
return structs.ServiceKindTypical
|
|
}
|
|
}
|
|
|
|
func (b *builder) serviceProxyVal(v *ServiceProxy) *structs.ConnectProxyConfig {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
return &structs.ConnectProxyConfig{
|
|
DestinationServiceName: stringVal(v.DestinationServiceName),
|
|
DestinationServiceID: stringVal(v.DestinationServiceID),
|
|
LocalServiceAddress: stringVal(v.LocalServiceAddress),
|
|
LocalServicePort: intVal(v.LocalServicePort),
|
|
LocalServiceSocketPath: stringVal(&v.LocalServiceSocketPath),
|
|
Config: v.Config,
|
|
Upstreams: b.upstreamsVal(v.Upstreams),
|
|
MeshGateway: b.meshGatewayConfVal(v.MeshGateway),
|
|
Expose: b.exposeConfVal(v.Expose),
|
|
Mode: b.proxyModeVal(v.Mode),
|
|
TransparentProxy: b.transparentProxyConfVal(v.TransparentProxy),
|
|
}
|
|
}
|
|
|
|
func (b *builder) upstreamsVal(v []Upstream) structs.Upstreams {
|
|
ups := make(structs.Upstreams, len(v))
|
|
for i, u := range v {
|
|
ups[i] = structs.Upstream{
|
|
DestinationType: stringVal(u.DestinationType),
|
|
DestinationNamespace: stringVal(u.DestinationNamespace),
|
|
DestinationPartition: stringVal(u.DestinationPartition),
|
|
DestinationPeer: stringVal(u.DestinationPeer),
|
|
DestinationName: stringVal(u.DestinationName),
|
|
Datacenter: stringVal(u.Datacenter),
|
|
LocalBindAddress: stringVal(u.LocalBindAddress),
|
|
LocalBindPort: intVal(u.LocalBindPort),
|
|
LocalBindSocketPath: stringVal(u.LocalBindSocketPath),
|
|
LocalBindSocketMode: b.unixPermissionsVal("local_bind_socket_mode", u.LocalBindSocketMode),
|
|
Config: u.Config,
|
|
MeshGateway: b.meshGatewayConfVal(u.MeshGateway),
|
|
}
|
|
if ups[i].DestinationType == "" {
|
|
ups[i].DestinationType = structs.UpstreamDestTypeService
|
|
}
|
|
}
|
|
return ups
|
|
}
|
|
|
|
func (b *builder) meshGatewayConfVal(mgConf *MeshGatewayConfig) structs.MeshGatewayConfig {
|
|
cfg := structs.MeshGatewayConfig{Mode: structs.MeshGatewayModeDefault}
|
|
if mgConf == nil || mgConf.Mode == nil {
|
|
// return defaults
|
|
return cfg
|
|
}
|
|
|
|
mode, err := structs.ValidateMeshGatewayMode(*mgConf.Mode)
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, err)
|
|
return cfg
|
|
}
|
|
|
|
cfg.Mode = mode
|
|
return cfg
|
|
}
|
|
|
|
func (b *builder) dnsRecursorStrategyVal(v string) dns.RecursorStrategy {
|
|
var out dns.RecursorStrategy
|
|
|
|
switch dns.RecursorStrategy(v) {
|
|
case dns.RecursorStrategyRandom:
|
|
out = dns.RecursorStrategyRandom
|
|
case dns.RecursorStrategySequential, "":
|
|
out = dns.RecursorStrategySequential
|
|
default:
|
|
b.err = multierror.Append(b.err, fmt.Errorf("dns_config.recursor_strategy: invalid strategy: %q", v))
|
|
}
|
|
return out
|
|
}
|
|
|
|
func (b *builder) requestsLimitsModeVal(v string) consulrate.Mode {
|
|
var out consulrate.Mode
|
|
|
|
mode, ok := consulrate.RequestLimitsModeFromName(v)
|
|
if !ok {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("limits.request_limits.mode: invalid mode: %q", v))
|
|
} else {
|
|
out = mode
|
|
}
|
|
|
|
return out
|
|
}
|
|
|
|
func (b *builder) exposeConfVal(v *ExposeConfig) structs.ExposeConfig {
|
|
var out structs.ExposeConfig
|
|
if v == nil {
|
|
return out
|
|
}
|
|
|
|
out.Checks = boolVal(v.Checks)
|
|
out.Paths = b.pathsVal(v.Paths)
|
|
return out
|
|
}
|
|
|
|
func (b *builder) transparentProxyConfVal(tproxyConf *TransparentProxyConfig) structs.TransparentProxyConfig {
|
|
var out structs.TransparentProxyConfig
|
|
if tproxyConf == nil {
|
|
return out
|
|
}
|
|
|
|
out.OutboundListenerPort = intVal(tproxyConf.OutboundListenerPort)
|
|
out.DialedDirectly = boolVal(tproxyConf.DialedDirectly)
|
|
return out
|
|
}
|
|
|
|
func (b *builder) proxyModeVal(v *string) structs.ProxyMode {
|
|
if v == nil {
|
|
return structs.ProxyModeDefault
|
|
}
|
|
|
|
mode, err := structs.ValidateProxyMode(*v)
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, err)
|
|
}
|
|
return mode
|
|
}
|
|
|
|
func (b *builder) pathsVal(v []ExposePath) []structs.ExposePath {
|
|
paths := make([]structs.ExposePath, len(v))
|
|
for i, p := range v {
|
|
paths[i] = structs.ExposePath{
|
|
ListenerPort: intVal(p.ListenerPort),
|
|
Path: stringVal(p.Path),
|
|
LocalPathPort: intVal(p.LocalPathPort),
|
|
Protocol: stringVal(p.Protocol),
|
|
}
|
|
}
|
|
return paths
|
|
}
|
|
|
|
func (b *builder) serviceConnectVal(v *ServiceConnect) *structs.ServiceConnect {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
sidecar := b.serviceVal(v.SidecarService)
|
|
if sidecar != nil {
|
|
// Sanity checks
|
|
if sidecar.ID != "" {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("sidecar_service can't specify an ID"))
|
|
sidecar.ID = ""
|
|
}
|
|
if sidecar.Connect != nil {
|
|
if sidecar.Connect.SidecarService != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("sidecar_service can't have a nested sidecar_service"))
|
|
sidecar.Connect.SidecarService = nil
|
|
}
|
|
}
|
|
}
|
|
|
|
return &structs.ServiceConnect{
|
|
Native: boolVal(v.Native),
|
|
SidecarService: sidecar,
|
|
}
|
|
}
|
|
|
|
func (b *builder) uiConfigVal(v RawUIConfig) UIConfig {
|
|
return UIConfig{
|
|
Enabled: boolVal(v.Enabled),
|
|
Dir: stringVal(v.Dir),
|
|
ContentPath: UIPathBuilder(stringVal(v.ContentPath)),
|
|
MetricsProvider: stringVal(v.MetricsProvider),
|
|
MetricsProviderFiles: v.MetricsProviderFiles,
|
|
MetricsProviderOptionsJSON: stringVal(v.MetricsProviderOptionsJSON),
|
|
MetricsProxy: b.uiMetricsProxyVal(v.MetricsProxy),
|
|
DashboardURLTemplates: v.DashboardURLTemplates,
|
|
HCPEnabled: os.Getenv("CONSUL_HCP_ENABLED") == "true",
|
|
}
|
|
}
|
|
|
|
func (b *builder) uiMetricsProxyVal(v RawUIMetricsProxy) UIMetricsProxy {
|
|
var hdrs []UIMetricsProxyAddHeader
|
|
|
|
for _, hdr := range v.AddHeaders {
|
|
hdrs = append(hdrs, UIMetricsProxyAddHeader{
|
|
Name: stringVal(hdr.Name),
|
|
Value: stringVal(hdr.Value),
|
|
})
|
|
}
|
|
|
|
return UIMetricsProxy{
|
|
BaseURL: stringVal(v.BaseURL),
|
|
AddHeaders: hdrs,
|
|
PathAllowlist: v.PathAllowlist,
|
|
}
|
|
}
|
|
|
|
func boolValWithDefault(v *bool, defaultVal bool) bool {
|
|
if v == nil {
|
|
return defaultVal
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func boolVal(v *bool) bool {
|
|
if v == nil {
|
|
return false
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func (b *builder) durationValWithDefault(name string, v *string, defaultVal time.Duration) (d time.Duration) {
|
|
if v == nil {
|
|
return defaultVal
|
|
}
|
|
d, err := time.ParseDuration(*v)
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid duration: %q: %s", name, *v, err))
|
|
}
|
|
return d
|
|
}
|
|
|
|
func (b *builder) durationVal(name string, v *string) (d time.Duration) {
|
|
return b.durationValWithDefault(name, v, 0)
|
|
}
|
|
|
|
func intValWithDefault(v *int, defaultVal int) int {
|
|
if v == nil {
|
|
return defaultVal
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func intVal(v *int) int {
|
|
if v == nil {
|
|
return 0
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func uintVal(v *uint) uint {
|
|
if v == nil {
|
|
return 0
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func uint64Val(v *uint64) uint64 {
|
|
if v == nil {
|
|
return 0
|
|
}
|
|
return *v
|
|
}
|
|
|
|
// Expect an octal permissions string, e.g. 0644
|
|
func (b *builder) unixPermissionsVal(name string, v *string) string {
|
|
if v == nil {
|
|
return ""
|
|
}
|
|
if _, err := strconv.ParseUint(*v, 8, 32); err == nil {
|
|
return *v
|
|
}
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid mode: %s", name, *v))
|
|
return "0"
|
|
}
|
|
|
|
func (b *builder) portVal(name string, v *int) int {
|
|
if v == nil || *v <= 0 {
|
|
return -1
|
|
}
|
|
if *v > 65535 {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid port: %d", name, *v))
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func stringValWithDefault(v *string, defaultVal string) string {
|
|
if v == nil {
|
|
return defaultVal
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func stringVal(v *string) string {
|
|
if v == nil {
|
|
return ""
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func timeValWithDefault(v *time.Time, defaultVal time.Time) time.Time {
|
|
if v == nil {
|
|
return defaultVal
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func float64ValWithDefault(v *float64, defaultVal float64) float64 {
|
|
if v == nil {
|
|
return defaultVal
|
|
}
|
|
return *v
|
|
}
|
|
|
|
func float64Val(v *float64) float64 {
|
|
return float64ValWithDefault(v, 0)
|
|
}
|
|
|
|
func limitVal(v *float64) rate.Limit {
|
|
f := float64Val(v)
|
|
if f < 0 {
|
|
return rate.Inf
|
|
}
|
|
|
|
return rate.Limit(f)
|
|
}
|
|
|
|
func limitValWithDefault(v *float64, defaultVal float64) rate.Limit {
|
|
f := float64ValWithDefault(v, defaultVal)
|
|
return limitVal(&f)
|
|
}
|
|
|
|
func (b *builder) cidrsVal(name string, v []string) (nets []*net.IPNet) {
|
|
if v == nil {
|
|
return
|
|
}
|
|
|
|
for _, p := range v {
|
|
_, net, err := net.ParseCIDR(strings.TrimSpace(p))
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid cidr: %s", name, p))
|
|
}
|
|
nets = append(nets, net)
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func (b *builder) tlsVersion(name string, v *string) types.TLSVersion {
|
|
// Handles unspecified config and empty string case.
|
|
//
|
|
// This check is not inside types.ValidateTLSVersionString because Envoy config
|
|
// distinguishes between an unset empty string which inherits parent config and
|
|
// an explicit TLS_AUTO which allows overriding parent config with the proxy
|
|
// defaults.
|
|
if v == nil || *v == "" {
|
|
return types.TLSVersionAuto
|
|
}
|
|
|
|
a := types.TLSVersion(*v)
|
|
|
|
err := types.ValidateTLSVersion(a)
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid TLS version: %s", name, err))
|
|
return types.TLSVersionInvalid
|
|
}
|
|
return a
|
|
}
|
|
|
|
// validateTLSVersionCipherSuitesCompat checks that the specified TLS version supports
|
|
// specifying cipher suites
|
|
func validateTLSVersionCipherSuitesCompat(tlsMinVersion types.TLSVersion) error {
|
|
if tlsMinVersion == types.TLSv1_3 {
|
|
return fmt.Errorf("TLS 1.3 cipher suites are not configurable")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// tlsCipherSuites parses cipher suites from a comma-separated string into a
|
|
// recognized slice
|
|
func (b *builder) tlsCipherSuites(name string, v *string, tlsMinVersion types.TLSVersion) []types.TLSCipherSuite {
|
|
if v == nil {
|
|
return nil
|
|
}
|
|
|
|
if err := validateTLSVersionCipherSuitesCompat(tlsMinVersion); err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: %s", name, err))
|
|
return nil
|
|
}
|
|
|
|
*v = strings.TrimSpace(*v)
|
|
if *v == "" {
|
|
return []types.TLSCipherSuite{}
|
|
}
|
|
ciphers := strings.Split(*v, ",")
|
|
|
|
a := make([]types.TLSCipherSuite, len(ciphers))
|
|
for i, cipher := range ciphers {
|
|
a[i] = types.TLSCipherSuite(cipher)
|
|
}
|
|
|
|
err := types.ValidateConsulAgentCipherSuites(a)
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid TLS cipher suites: %s", name, err))
|
|
return []types.TLSCipherSuite{}
|
|
}
|
|
return a
|
|
}
|
|
|
|
func (b *builder) nodeName(v *string) string {
|
|
nodeName := stringVal(v)
|
|
if nodeName == "" {
|
|
fn := b.opts.hostname
|
|
if fn == nil {
|
|
fn = os.Hostname
|
|
}
|
|
name, err := fn()
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("node_name: %s", err))
|
|
return ""
|
|
}
|
|
nodeName = name
|
|
}
|
|
return strings.TrimSpace(nodeName)
|
|
}
|
|
|
|
// expandAddrs expands the go-sockaddr template in s and returns the
|
|
// result as a list of *net.IPAddr and *net.UnixAddr.
|
|
func (b *builder) expandAddrs(name string, s *string) []net.Addr {
|
|
if s == nil || *s == "" {
|
|
return nil
|
|
}
|
|
|
|
x, err := template.Parse(*s)
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: error parsing %q: %s", name, *s, err))
|
|
return nil
|
|
}
|
|
|
|
var addrs []net.Addr
|
|
for _, a := range strings.Fields(x) {
|
|
switch {
|
|
case strings.HasPrefix(a, "unix://"):
|
|
addrs = append(addrs, &net.UnixAddr{Name: a[len("unix://"):], Net: "unix"})
|
|
default:
|
|
// net.ParseIP does not like '[::]'
|
|
ip := net.ParseIP(a)
|
|
if a == "[::]" {
|
|
ip = net.ParseIP("::")
|
|
}
|
|
if ip == nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: invalid ip address: %s", name, a))
|
|
return nil
|
|
}
|
|
addrs = append(addrs, &net.IPAddr{IP: ip})
|
|
}
|
|
}
|
|
|
|
return addrs
|
|
}
|
|
|
|
// expandOptionalAddrs expands the go-sockaddr template in s and returns the
|
|
// result as a list of strings. If s does not contain a go-sockaddr template,
|
|
// the result list will contain the input string as a single element with no
|
|
// error set. In contrast to expandAddrs, expandOptionalAddrs does not validate
|
|
// if the result contains valid addresses and returns a list of strings.
|
|
// However, if the expansion of the go-sockaddr template fails an error is set.
|
|
func (b *builder) expandOptionalAddrs(name string, s *string) []string {
|
|
if s == nil || *s == "" {
|
|
return nil
|
|
}
|
|
|
|
x, err := template.Parse(*s)
|
|
if err != nil {
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: error parsing %q: %s", name, *s, err))
|
|
return nil
|
|
}
|
|
|
|
if x != *s {
|
|
// A template has been expanded, split the results from go-sockaddr
|
|
return strings.Fields(x)
|
|
} else {
|
|
// No template has been expanded, pass through the input
|
|
return []string{*s}
|
|
}
|
|
}
|
|
|
|
func (b *builder) expandAllOptionalAddrs(name string, addrs []string) []string {
|
|
out := make([]string, 0, len(addrs))
|
|
for _, a := range addrs {
|
|
expanded := b.expandOptionalAddrs(name, &a)
|
|
if expanded != nil {
|
|
out = append(out, expanded...)
|
|
}
|
|
}
|
|
return out
|
|
}
|
|
|
|
// expandIPs expands the go-sockaddr template in s and returns a list of
|
|
// *net.IPAddr. If one of the expanded addresses is a unix socket
|
|
// address an error is set and nil is returned.
|
|
func (b *builder) expandIPs(name string, s *string) []*net.IPAddr {
|
|
if s == nil || *s == "" {
|
|
return nil
|
|
}
|
|
|
|
addrs := b.expandAddrs(name, s)
|
|
var x []*net.IPAddr
|
|
for _, addr := range addrs {
|
|
switch a := addr.(type) {
|
|
case *net.IPAddr:
|
|
x = append(x, a)
|
|
case *net.UnixAddr:
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s cannot be a unix socket", name))
|
|
return nil
|
|
default:
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s has invalid address type %T", name, a))
|
|
return nil
|
|
}
|
|
}
|
|
return x
|
|
}
|
|
|
|
// expandFirstAddr expands the go-sockaddr template in s and returns the
|
|
// first address which is either a *net.IPAddr or a *net.UnixAddr. If
|
|
// the template expands to multiple addresses an error is set and nil
|
|
// is returned.
|
|
func (b *builder) expandFirstAddr(name string, s *string) net.Addr {
|
|
if s == nil || *s == "" {
|
|
return nil
|
|
}
|
|
|
|
addrs := b.expandAddrs(name, s)
|
|
if len(addrs) == 0 {
|
|
return nil
|
|
}
|
|
if len(addrs) > 1 {
|
|
var x []string
|
|
for _, a := range addrs {
|
|
x = append(x, a.String())
|
|
}
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s: multiple addresses found: %s", name, strings.Join(x, " ")))
|
|
return nil
|
|
}
|
|
return addrs[0]
|
|
}
|
|
|
|
// expandFirstIP expands the go-sockaddr template in s and returns the
|
|
// first address if it is not a unix socket address. If the template
|
|
// expands to multiple addresses an error is set and nil is returned.
|
|
func (b *builder) expandFirstIP(name string, s *string) *net.IPAddr {
|
|
if s == nil || *s == "" {
|
|
return nil
|
|
}
|
|
|
|
addr := b.expandFirstAddr(name, s)
|
|
if addr == nil {
|
|
return nil
|
|
}
|
|
switch a := addr.(type) {
|
|
case *net.IPAddr:
|
|
return a
|
|
case *net.UnixAddr:
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s cannot be a unix socket", name))
|
|
return nil
|
|
default:
|
|
b.err = multierror.Append(b.err, fmt.Errorf("%s has invalid address type %T", name, a))
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func makeIPAddr(pri *net.IPAddr, sec *net.IPAddr) *net.IPAddr {
|
|
if pri != nil {
|
|
return pri
|
|
}
|
|
return sec
|
|
}
|
|
|
|
func (b *builder) makeTCPAddr(pri *net.IPAddr, sec net.Addr, port int) *net.TCPAddr {
|
|
if pri == nil && reflect.ValueOf(sec).IsNil() || port <= 0 {
|
|
return nil
|
|
}
|
|
addr := pri
|
|
if addr == nil {
|
|
switch a := sec.(type) {
|
|
case *net.IPAddr:
|
|
addr = a
|
|
case *net.TCPAddr:
|
|
addr = &net.IPAddr{IP: a.IP}
|
|
default:
|
|
panic(fmt.Sprintf("makeTCPAddr requires a net.IPAddr or a net.TCPAddr. Got %T", a))
|
|
}
|
|
}
|
|
return &net.TCPAddr{IP: addr.IP, Port: port}
|
|
}
|
|
|
|
// makeAddr creates an *net.TCPAddr or a *net.UnixAddr from either the
|
|
// primary or secondary address and the given port. If the port is <= 0
|
|
// then the address is considered to be disabled and nil is returned.
|
|
func (b *builder) makeAddr(pri, sec net.Addr, port int) net.Addr {
|
|
if reflect.ValueOf(pri).IsNil() && reflect.ValueOf(sec).IsNil() || port <= 0 {
|
|
return nil
|
|
}
|
|
addr := pri
|
|
if addr == nil {
|
|
addr = sec
|
|
}
|
|
switch a := addr.(type) {
|
|
case *net.IPAddr:
|
|
return &net.TCPAddr{IP: a.IP, Port: port}
|
|
case *net.UnixAddr:
|
|
return a
|
|
default:
|
|
panic(fmt.Sprintf("invalid address type %T", a))
|
|
}
|
|
}
|
|
|
|
// makeAddrs creates a list of *net.TCPAddr or *net.UnixAddr entries
|
|
// from either the primary or secondary addresses and the given port.
|
|
// If the port is <= 0 then the address is considered to be disabled
|
|
// and nil is returned.
|
|
func (b *builder) makeAddrs(pri []net.Addr, sec []*net.IPAddr, port int) []net.Addr {
|
|
if len(pri) == 0 && len(sec) == 0 || port <= 0 {
|
|
return nil
|
|
}
|
|
addrs := pri
|
|
if len(addrs) == 0 {
|
|
addrs = []net.Addr{}
|
|
for _, a := range sec {
|
|
addrs = append(addrs, a)
|
|
}
|
|
}
|
|
var x []net.Addr
|
|
for _, a := range addrs {
|
|
x = append(x, b.makeAddr(a, nil, port))
|
|
}
|
|
return x
|
|
}
|
|
|
|
func (b *builder) autoConfigVal(raw AutoConfigRaw, agentPartition string) AutoConfig {
|
|
var val AutoConfig
|
|
|
|
val.Enabled = boolValWithDefault(raw.Enabled, false)
|
|
val.IntroToken = stringVal(raw.IntroToken)
|
|
|
|
// default the IntroToken to the env variable if specified.
|
|
if envToken := os.Getenv("CONSUL_INTRO_TOKEN"); envToken != "" {
|
|
if val.IntroToken != "" {
|
|
b.warn("Both auto_config.intro_token and the CONSUL_INTRO_TOKEN environment variable are set. Using the value from the environment variable")
|
|
}
|
|
|
|
val.IntroToken = envToken
|
|
}
|
|
val.IntroTokenFile = stringVal(raw.IntroTokenFile)
|
|
// These can be go-discover values and so don't have to resolve fully yet
|
|
val.ServerAddresses = b.expandAllOptionalAddrs("auto_config.server_addresses", raw.ServerAddresses)
|
|
val.DNSSANs = raw.DNSSANs
|
|
|
|
for _, i := range raw.IPSANs {
|
|
ip := net.ParseIP(i)
|
|
if ip == nil {
|
|
b.warn(fmt.Sprintf("Cannot parse ip %q from auto_config.ip_sans", i))
|
|
continue
|
|
}
|
|
val.IPSANs = append(val.IPSANs, ip)
|
|
}
|
|
|
|
val.Authorizer = b.autoConfigAuthorizerVal(raw.Authorization, agentPartition)
|
|
|
|
return val
|
|
}
|
|
|
|
func (b *builder) autoConfigAuthorizerVal(raw AutoConfigAuthorizationRaw, agentPartition string) AutoConfigAuthorizer {
|
|
// Our config file syntax wraps the static authorizer configuration in a "static" stanza. However
|
|
// internally we do not support multiple configured authorization types so the RuntimeConfig just
|
|
// inlines the static one. While we can and probably should extend the authorization types in the
|
|
// future to support dynamic authorizers (ACL Auth Methods configured via normal APIs) its not
|
|
// needed right now so the configuration types will remain simplistic until they need to be otherwise.
|
|
var val AutoConfigAuthorizer
|
|
|
|
entMeta := structs.DefaultEnterpriseMetaInPartition(agentPartition)
|
|
entMeta.Normalize()
|
|
|
|
val.Enabled = boolValWithDefault(raw.Enabled, false)
|
|
val.ClaimAssertions = raw.Static.ClaimAssertions
|
|
val.AllowReuse = boolValWithDefault(raw.Static.AllowReuse, false)
|
|
val.AuthMethod = structs.ACLAuthMethod{
|
|
Name: "Auto Config Authorizer",
|
|
Type: "jwt",
|
|
EnterpriseMeta: *entMeta,
|
|
Config: map[string]interface{}{
|
|
"JWTSupportedAlgs": raw.Static.JWTSupportedAlgs,
|
|
"BoundAudiences": raw.Static.BoundAudiences,
|
|
"ClaimMappings": raw.Static.ClaimMappings,
|
|
"ListClaimMappings": raw.Static.ListClaimMappings,
|
|
"OIDCDiscoveryURL": stringVal(raw.Static.OIDCDiscoveryURL),
|
|
"OIDCDiscoveryCACert": stringVal(raw.Static.OIDCDiscoveryCACert),
|
|
"JWKSURL": stringVal(raw.Static.JWKSURL),
|
|
"JWKSCACert": stringVal(raw.Static.JWKSCACert),
|
|
"JWTValidationPubKeys": raw.Static.JWTValidationPubKeys,
|
|
"BoundIssuer": stringVal(raw.Static.BoundIssuer),
|
|
"ExpirationLeeway": b.durationVal("auto_config.authorization.static.expiration_leeway", raw.Static.ExpirationLeeway),
|
|
"NotBeforeLeeway": b.durationVal("auto_config.authorization.static.not_before_leeway", raw.Static.NotBeforeLeeway),
|
|
"ClockSkewLeeway": b.durationVal("auto_config.authorization.static.clock_skew_leeway", raw.Static.ClockSkewLeeway),
|
|
},
|
|
}
|
|
|
|
return val
|
|
}
|
|
|
|
func (b *builder) validateAutoConfig(rt RuntimeConfig) error {
|
|
autoconf := rt.AutoConfig
|
|
|
|
if err := validateAutoConfigAuthorizer(rt); err != nil {
|
|
return err
|
|
}
|
|
|
|
if !autoconf.Enabled {
|
|
return nil
|
|
}
|
|
|
|
// Right now we require TLS as everything we are going to transmit via auto-config is sensitive. Signed Certificates, Tokens
|
|
// and other encryption keys. This must be transmitted over a secure connection so we don't allow doing otherwise.
|
|
if !rt.TLS.InternalRPC.VerifyOutgoing {
|
|
return fmt.Errorf("auto_config.enabled cannot be set without configuring TLS for server communications")
|
|
}
|
|
|
|
// Auto Config doesn't currently support configuring servers
|
|
if rt.ServerMode {
|
|
return fmt.Errorf("auto_config.enabled cannot be set to true for server agents.")
|
|
}
|
|
|
|
// When both are set we will prefer the given value over the file.
|
|
if autoconf.IntroToken != "" && autoconf.IntroTokenFile != "" {
|
|
b.warn("Both an intro token and intro token file are set. The intro token will be used instead of the file")
|
|
} else if autoconf.IntroToken == "" && autoconf.IntroTokenFile == "" {
|
|
return fmt.Errorf("One of auto_config.intro_token, auto_config.intro_token_file or the CONSUL_INTRO_TOKEN environment variable must be set to enable auto_config")
|
|
}
|
|
|
|
if len(autoconf.ServerAddresses) == 0 {
|
|
// TODO (autoconf) can we/should we infer this from the join/retry join addresses. I think no, as we will potentially
|
|
// be overriding those retry join addresses with the autoconf process anyways.
|
|
return fmt.Errorf("auto_config.enabled is set without providing a list of addresses")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func validateAutoConfigAuthorizer(rt RuntimeConfig) error {
|
|
authz := rt.AutoConfig.Authorizer
|
|
|
|
if !authz.Enabled {
|
|
return nil
|
|
}
|
|
|
|
// When in a secondary datacenter with ACLs enabled, we require token replication to be enabled
|
|
// as that is what allows us to create the local tokens to distribute to the clients. Otherwise
|
|
// we would have to have a token with the ability to create ACL tokens in the primary and make
|
|
// RPCs in response to auto config requests.
|
|
if rt.ACLsEnabled && rt.PrimaryDatacenter != rt.Datacenter && !rt.ACLTokenReplication {
|
|
return fmt.Errorf("Enabling auto-config authorization (auto_config.authorization.enabled) in non primary datacenters with ACLs enabled (acl.enabled) requires also enabling ACL token replication (acl.enable_token_replication)")
|
|
}
|
|
|
|
// Auto Config Authorization is only supported on servers
|
|
if !rt.ServerMode {
|
|
return fmt.Errorf("auto_config.authorization.enabled cannot be set to true for client agents")
|
|
}
|
|
|
|
// Right now we require TLS as everything we are going to transmit via auto-config is sensitive. Signed Certificates, Tokens
|
|
// and other encryption keys. This must be transmitted over a secure connection so we don't allow doing otherwise.
|
|
if rt.TLS.InternalRPC.CertFile == "" {
|
|
return fmt.Errorf("auto_config.authorization.enabled cannot be set without providing a TLS certificate for the server")
|
|
}
|
|
|
|
// build out the validator to ensure that the given configuration was valid
|
|
null := hclog.NewNullLogger()
|
|
validator, err := ssoauth.NewValidator(null, &authz.AuthMethod)
|
|
if err != nil {
|
|
return fmt.Errorf("auto_config.authorization.static has invalid configuration: %v", err)
|
|
}
|
|
|
|
// create a blank identity for use to validate the claim assertions.
|
|
blankID := validator.NewIdentity()
|
|
varMap := map[string]string{
|
|
"node": "fake",
|
|
"segment": "fake",
|
|
"partition": "fake",
|
|
}
|
|
|
|
// validate all the claim assertions
|
|
for _, raw := range authz.ClaimAssertions {
|
|
// validate any HIL
|
|
filled, err := libtempl.InterpolateHIL(raw, varMap, true)
|
|
if err != nil {
|
|
return fmt.Errorf("auto_config.authorization.static.claim_assertion %q is invalid: %v", raw, err)
|
|
}
|
|
|
|
// validate the bexpr syntax - note that for now all the keys mapped by the claim mappings
|
|
// are not validateable due to them being put inside a map. Some bexpr updates to setup keys
|
|
// from current map keys would probably be nice here.
|
|
if _, err := bexpr.CreateEvaluatorForType(filled, nil, blankID.SelectableFields); err != nil {
|
|
return fmt.Errorf("auto_config.authorization.static.claim_assertion %q is invalid: %v", raw, err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (b *builder) cloudConfigVal(v *CloudConfigRaw) hcpconfig.CloudConfig {
|
|
val := hcpconfig.CloudConfig{
|
|
ResourceID: os.Getenv("HCP_RESOURCE_ID"),
|
|
}
|
|
if v == nil {
|
|
return val
|
|
}
|
|
|
|
val.ClientID = stringVal(v.ClientID)
|
|
val.ClientSecret = stringVal(v.ClientSecret)
|
|
val.AuthURL = stringVal(v.AuthURL)
|
|
val.Hostname = stringVal(v.Hostname)
|
|
val.ScadaAddress = stringVal(v.ScadaAddress)
|
|
|
|
if resourceID := stringVal(v.ResourceID); resourceID != "" {
|
|
val.ResourceID = resourceID
|
|
}
|
|
return val
|
|
}
|
|
|
|
// decodeBytes returns the encryption key decoded.
|
|
func decodeBytes(key string) ([]byte, error) {
|
|
return base64.StdEncoding.DecodeString(key)
|
|
}
|
|
|
|
func isIPAddr(a net.Addr) bool {
|
|
_, ok := a.(*net.IPAddr)
|
|
return ok
|
|
}
|
|
|
|
func isUnixAddr(a net.Addr) bool {
|
|
_, ok := a.(*net.UnixAddr)
|
|
return ok
|
|
}
|
|
|
|
// isValidAltDomain returns true if the given domain is not prefixed
|
|
// by keywords used when dispatching DNS requests
|
|
func isValidAltDomain(domain, datacenter string) bool {
|
|
reAltDomain := regexp.MustCompile(
|
|
fmt.Sprintf(
|
|
"^(service|connect|node|query|addr|%s)\\.(%s\\.)?",
|
|
datacenter, datacenter,
|
|
),
|
|
)
|
|
return !reAltDomain.MatchString(domain)
|
|
}
|
|
|
|
// UIPathBuilder checks to see if there was a path set
|
|
// If so, adds beginning and trailing slashes to UI path
|
|
func UIPathBuilder(UIContentString string) string {
|
|
if UIContentString != "" {
|
|
var fmtedPath string
|
|
fmtedPath = strings.Trim(UIContentString, "/")
|
|
fmtedPath = "/" + fmtedPath + "/"
|
|
return fmtedPath
|
|
|
|
}
|
|
return "/ui/"
|
|
}
|
|
|
|
const remoteScriptCheckSecurityWarning = "using enable-script-checks without ACLs and without allow_write_http_from is DANGEROUS, use enable-local-script-checks instead, see https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations/"
|
|
|
|
// validateRemoteScriptsChecks returns an error if EnableRemoteScriptChecks is
|
|
// enabled without other security features, which mitigate the risk of executing
|
|
// remote scripts.
|
|
func validateRemoteScriptsChecks(conf RuntimeConfig) error {
|
|
if conf.EnableRemoteScriptChecks && !conf.ACLsEnabled && len(conf.AllowWriteHTTPFrom) == 0 {
|
|
return errors.New(remoteScriptCheckSecurityWarning)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func validateAbsoluteURLPath(p string) error {
|
|
if !path.IsAbs(p) {
|
|
return fmt.Errorf("path %q is not an absolute path", p)
|
|
}
|
|
|
|
// A bit more extra validation that these are actually paths.
|
|
u, err := url.Parse(p)
|
|
if err != nil ||
|
|
u.Scheme != "" ||
|
|
u.Opaque != "" ||
|
|
u.User != nil ||
|
|
u.Host != "" ||
|
|
u.RawQuery != "" ||
|
|
u.Fragment != "" ||
|
|
u.Path != p {
|
|
return fmt.Errorf("path %q is not an absolute path", p)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (b *builder) buildTLSConfig(rt RuntimeConfig, t TLS) (tlsutil.Config, error) {
|
|
var c tlsutil.Config
|
|
|
|
// Consul makes no outgoing connections to the public gRPC port (internal gRPC
|
|
// traffic goes through the multiplexed internal RPC port) so return an error
|
|
// rather than let the user think this setting is going to do anything useful.
|
|
if t.GRPC.VerifyOutgoing != nil {
|
|
return c, errors.New("verify_outgoing is not valid in the tls.grpc stanza")
|
|
}
|
|
|
|
// Similarly, only the internal RPC configuration honors VerifyServerHostname
|
|
// so we call it out here too.
|
|
if t.Defaults.VerifyServerHostname != nil || t.GRPC.VerifyServerHostname != nil || t.HTTPS.VerifyServerHostname != nil {
|
|
return c, errors.New("verify_server_hostname is only valid in the tls.internal_rpc stanza")
|
|
}
|
|
|
|
// And UseAutoCert right now only applies to external gRPC interface.
|
|
if t.Defaults.UseAutoCert != nil || t.HTTPS.UseAutoCert != nil || t.InternalRPC.UseAutoCert != nil {
|
|
return c, errors.New("use_auto_cert is only valid in the tls.grpc stanza")
|
|
}
|
|
|
|
defaultTLSMinVersion := b.tlsVersion("tls.defaults.tls_min_version", t.Defaults.TLSMinVersion)
|
|
defaultCipherSuites := b.tlsCipherSuites("tls.defaults.tls_cipher_suites", t.Defaults.TLSCipherSuites, defaultTLSMinVersion)
|
|
|
|
mapCommon := func(name string, src TLSProtocolConfig, dst *tlsutil.ProtocolConfig) {
|
|
dst.CAPath = stringValWithDefault(src.CAPath, stringVal(t.Defaults.CAPath))
|
|
dst.CAFile = stringValWithDefault(src.CAFile, stringVal(t.Defaults.CAFile))
|
|
dst.CertFile = stringValWithDefault(src.CertFile, stringVal(t.Defaults.CertFile))
|
|
dst.KeyFile = stringValWithDefault(src.KeyFile, stringVal(t.Defaults.KeyFile))
|
|
dst.VerifyIncoming = boolValWithDefault(src.VerifyIncoming, boolVal(t.Defaults.VerifyIncoming))
|
|
|
|
// We prevent this from being set explicity in the tls.grpc stanza above, but
|
|
// let's also prevent it from getting the tls.defaults value to avoid confusion
|
|
// if we decide to support it in the future.
|
|
if name != "grpc" {
|
|
dst.VerifyOutgoing = boolValWithDefault(src.VerifyOutgoing, boolVal(t.Defaults.VerifyOutgoing))
|
|
}
|
|
|
|
if src.TLSMinVersion == nil {
|
|
dst.TLSMinVersion = defaultTLSMinVersion
|
|
} else {
|
|
dst.TLSMinVersion = b.tlsVersion(
|
|
fmt.Sprintf("tls.%s.tls_min_version", name),
|
|
src.TLSMinVersion,
|
|
)
|
|
}
|
|
|
|
if src.TLSCipherSuites == nil {
|
|
// If cipher suite config incompatible with a specified TLS min version
|
|
// would be inherited, omit it but don't return an error in the builder.
|
|
if validateTLSVersionCipherSuitesCompat(dst.TLSMinVersion) == nil {
|
|
dst.CipherSuites = defaultCipherSuites
|
|
}
|
|
} else {
|
|
dst.CipherSuites = b.tlsCipherSuites(
|
|
fmt.Sprintf("tls.%s.tls_cipher_suites", name),
|
|
src.TLSCipherSuites,
|
|
dst.TLSMinVersion,
|
|
)
|
|
}
|
|
}
|
|
|
|
mapCommon("internal_rpc", t.InternalRPC, &c.InternalRPC)
|
|
c.InternalRPC.VerifyServerHostname = boolVal(t.InternalRPC.VerifyServerHostname)
|
|
|
|
// Setting only verify_server_hostname is documented to imply verify_outgoing.
|
|
// If it doesn't then we risk sending communication over plain TCP when we
|
|
// documented it as forcing TLS for RPCs. Enforce this here rather than in
|
|
// several different places through the code that need to reason about it.
|
|
//
|
|
// See: CVE-2018-19653
|
|
c.InternalRPC.VerifyOutgoing = c.InternalRPC.VerifyOutgoing || c.InternalRPC.VerifyServerHostname
|
|
|
|
mapCommon("https", t.HTTPS, &c.HTTPS)
|
|
mapCommon("grpc", t.GRPC, &c.GRPC)
|
|
c.GRPC.UseAutoCert = boolValWithDefault(t.GRPC.UseAutoCert, false)
|
|
|
|
c.ServerMode = rt.ServerMode
|
|
c.ServerName = rt.ServerName
|
|
c.NodeName = rt.NodeName
|
|
c.Domain = rt.DNSDomain
|
|
c.EnableAgentTLSForChecks = rt.EnableAgentTLSForChecks
|
|
c.AutoTLS = rt.AutoEncryptTLS || rt.AutoConfig.Enabled
|
|
|
|
return c, nil
|
|
}
|
|
|
|
func (b *builder) parsePrefixFilter(telemetry *Telemetry) ([]string, []string) {
|
|
var telemetryAllowedPrefixes, telemetryBlockedPrefixes []string
|
|
|
|
// TODO(FFMMM): Once one twelve style RPC metrics get out of Beta, don't remove them by default.
|
|
operatorPassedOneTwelveRPCMetric := false
|
|
oneTwelveRPCMetric := *telemetry.MetricsPrefix + "." + strings.Join(middleware.OneTwelveRPCSummary[0].Name, ".")
|
|
|
|
for _, rule := range telemetry.PrefixFilter {
|
|
if rule == "" {
|
|
b.warn("Cannot have empty filter rule in prefix_filter")
|
|
continue
|
|
}
|
|
switch rule[0] {
|
|
case '+':
|
|
if rule[1:] == oneTwelveRPCMetric {
|
|
operatorPassedOneTwelveRPCMetric = true
|
|
}
|
|
telemetryAllowedPrefixes = append(telemetryAllowedPrefixes, rule[1:])
|
|
case '-':
|
|
if rule[1:] == oneTwelveRPCMetric {
|
|
operatorPassedOneTwelveRPCMetric = true
|
|
}
|
|
telemetryBlockedPrefixes = append(telemetryBlockedPrefixes, rule[1:])
|
|
default:
|
|
b.warn("Filter rule must begin with either '+' or '-': %q", rule)
|
|
}
|
|
}
|
|
|
|
if !operatorPassedOneTwelveRPCMetric {
|
|
telemetryBlockedPrefixes = append(telemetryBlockedPrefixes, oneTwelveRPCMetric)
|
|
}
|
|
|
|
return telemetryAllowedPrefixes, telemetryBlockedPrefixes
|
|
}
|
|
|
|
func (b *builder) raftLogStoreConfigVal(raw *RaftLogStoreRaw) consul.RaftLogStoreConfig {
|
|
var cfg consul.RaftLogStoreConfig
|
|
if raw != nil {
|
|
cfg.Backend = stringValWithDefault(raw.Backend, consul.LogStoreBackendBoltDB)
|
|
cfg.DisableLogCache = boolVal(raw.DisableLogCache)
|
|
|
|
cfg.Verification.Enabled = boolVal(raw.Verification.Enabled)
|
|
cfg.Verification.Interval = b.durationVal("raft_logstore.verification.interval", raw.Verification.Interval)
|
|
|
|
cfg.BoltDB.NoFreelistSync = boolVal(raw.BoltDBConfig.NoFreelistSync)
|
|
|
|
cfg.WAL.SegmentSize = intVal(raw.WALConfig.SegmentSizeMB) * 1024 * 1024
|
|
}
|
|
return cfg
|
|
}
|