github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13170 Commits
1702 Branches
457 Tags
697 MiB
Tree: 748d56b8ab
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '748d56b8ab'
${ noResults }
consul/api/api.go

1055 lines
30 KiB
Raw Normal View History Unescape

api: initial import from armon/consul-api
10 years ago
package api
import (
"bytes"
Update unix dial functions to use DialContext with new go-cleanhttp
8 years ago
"context"
Read select environment variables when generating the default configuration
10 years ago
"crypto/tls"
api: initial import from armon/consul-api
10 years ago
"encoding/json"
"fmt"
"io"
Prevent Session.Destroy from leaving open TCP connections
8 years ago
"io/ioutil"
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
"net"
api: initial import from armon/consul-api
10 years ago
"net/http"
"net/url"
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
"os"
api: initial import from armon/consul-api
10 years ago
"strconv"
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
"strings"
api: initial import from armon/consul-api
10 years ago
"time"
Use cleanhttp to get rid of DefaultTransport
9 years ago
Update cleanhttp repo location
9 years ago
"github.com/hashicorp/go-cleanhttp"
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
"github.com/hashicorp/go-hclog"
Add tls client options to api/cli
8 years ago
"github.com/hashicorp/go-rootcerts"
api: initial import from armon/consul-api
10 years ago
)
Remove redundant hardcoded environment variables The following hardcoded environment variables are removed: * CONSUL_RPC_ADDR * CONSUL_HTTP_ADDR
8 years ago
const (
// HTTPAddrEnvName defines an environment variable name which sets
// the HTTP address if there is no -http-addr specified.
HTTPAddrEnvName = "CONSUL_HTTP_ADDR"
Add api environment variables as constants for consistency
8 years ago
// HTTPTokenEnvName defines an environment variable name which sets
// the HTTP token.
HTTPTokenEnvName = "CONSUL_HTTP_TOKEN"
acl: adding support for kubernetes auth provider login (#5600) * auth providers * binding rules * auth provider for kubernetes * login/logout
6 years ago
// HTTPTokenFileEnvName defines an environment variable name which sets
// the HTTP token file.
HTTPTokenFileEnvName = "CONSUL_HTTP_TOKEN_FILE"
Add api environment variables as constants for consistency
8 years ago
// HTTPAuthEnvName defines an environment variable name which sets
// the HTTP authentication header.
HTTPAuthEnvName = "CONSUL_HTTP_AUTH"
// HTTPSSLEnvName defines an environment variable name which sets
// whether or not to use HTTPS.
HTTPSSLEnvName = "CONSUL_HTTP_SSL"
Add tls client options to api/cli
8 years ago
// HTTPCAFile defines an environment variable name which sets the
// CA file to use for talking to Consul over TLS.
HTTPCAFile = "CONSUL_CACERT"
// HTTPCAPath defines an environment variable name which sets the
// path to a directory of CA certs to use for talking to Consul over TLS.
HTTPCAPath = "CONSUL_CAPATH"
// HTTPClientCert defines an environment variable name which sets the
// client cert file to use for talking to Consul over TLS.
HTTPClientCert = "CONSUL_CLIENT_CERT"
// HTTPClientKey defines an environment variable name which sets the
// client key file to use for talking to Consul over TLS.
HTTPClientKey = "CONSUL_CLIENT_KEY"
// HTTPTLSServerName defines an environment variable name which sets the
// server name to use as the SNI host when connecting via TLS
HTTPTLSServerName = "CONSUL_TLS_SERVER_NAME"
Add api environment variables as constants for consistency
8 years ago
// HTTPSSLVerifyEnvName defines an environment variable name which sets
// whether or not to disable certificate checking.
HTTPSSLVerifyEnvName = "CONSUL_HTTP_SSL_VERIFY"
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review
6 years ago
// GRPCAddrEnvName defines an environment variable name which sets the gRPC
// address for consul connect envoy. Note this isn't actually used by the api
// client in this package but is defined here for consistency with all the
// other ENV names we use.
GRPCAddrEnvName = "CONSUL_GRPC_ADDR"
Change how namespaces are specified for the CLI (#6960)
5 years ago
// HTTPNamespaceEnvVar defines an environment variable name which sets
// the HTTP Namespace to be used by default. This can still be overridden.
HTTPNamespaceEnvName = "CONSUL_NAMESPACE"
Remove redundant hardcoded environment variables The following hardcoded environment variables are removed: * CONSUL_RPC_ADDR * CONSUL_HTTP_ADDR
8 years ago
)
api: initial import from armon/consul-api
10 years ago
// QueryOptions are used to parameterize a query
type QueryOptions struct {
Add Namespace as an api query/write option (#6551)
5 years ago
// Namespace overrides the `default` namespace
// Note: Namespaces are available only in Consul Enterprise
Namespace string
api: initial import from armon/consul-api
10 years ago
// Providing a datacenter overwrites the DC provided
// by the Config
Datacenter string
// AllowStale allows any Consul server (non-leader) to service
// a read. This allows for lower latency and higher throughput
AllowStale bool
// RequireConsistent forces the read to be fully consistent.
// This is more expensive but prevents ever performing a stale
// read.
RequireConsistent bool
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
6 years ago
// UseCache requests that the agent cache results locally. See
api: update link to agent caching in comments (#5935)
6 years ago
// https://www.consul.io/api/features/caching.html for more details on the
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
6 years ago
// semantics.
UseCache bool
// MaxAge limits how old a cached value will be returned if UseCache is true.
// If there is a cached response that is older than the MaxAge, it is treated
// as a cache miss and a new fetch invoked. If the fetch fails, the error is
// returned. Clients that wish to allow for stale results on error can set
fix typos reported by golangci-lint:misspell (#5434)
6 years ago
// StaleIfError to a longer duration to change this behavior. It is ignored
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
6 years ago
// if the endpoint supports background refresh caching. See
api: update link to agent caching in comments (#5935)
6 years ago
// https://www.consul.io/api/features/caching.html for more details.
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
6 years ago
MaxAge time.Duration
// StaleIfError specifies how stale the client will accept a cached response
// if the servers are unavailable to fetch a fresh one. Only makes sense when
// UseCache is true and MaxAge is set to a lower, non-zero value. It is
// ignored if the endpoint supports background refresh caching. See
api: update link to agent caching in comments (#5935)
6 years ago
// https://www.consul.io/api/features/caching.html for more details.
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
6 years ago
StaleIfError time.Duration
api: initial import from armon/consul-api
10 years ago
// WaitIndex is used to enable a blocking query. Waits
// until the timeout or the next index is reached
WaitIndex uint64
Adds `api` client code and tests for new Proxy Config endpoint, registering with proxy and seeing proxy config in /agent/services list.
7 years ago
// WaitHash is used by some endpoints instead of WaitIndex to perform blocking
// on state based on a hash of the response rather than a monotonic index.
// This is required when the state being blocked on is not stored in Raft, for
// example agent-local proxy configuration.
WaitHash string
api: initial import from armon/consul-api
10 years ago
// WaitTime is used to bound the duration of a wait.
Fix a bunch of typos.
9 years ago
// Defaults to that of the Config, but can be overridden.
api: initial import from armon/consul-api
10 years ago
WaitTime time.Duration
// Token is used to provide a per-request ACL token
// which overrides the agent's default token.
Token string
Adds support for coordinates to client API.
9 years ago
// Near is used to provide a node name that will sort the results
// in ascending order based on the estimated round trip time from
// that node. Setting this to "_agent" will use the agent's node
// for the sort.
Near string
Update client api and docs for node metadata
8 years ago
// NodeMeta is used to filter results by nodes with the given
// metadata key/value pairs. Currently, only one key/value pair can
// be provided for filtering.
NodeMeta map[string]string
Convert keyring command to use base.Command
8 years ago
fix typo
7 years ago
// RelayFactor is used in keyring operations to cause responses to be
Convert keyring command to use base.Command
8 years ago
// relayed back to the sender through N other random nodes. Must be
// a value from 0 to 5 (inclusive).
RelayFactor uint8
Fix socket file handle leaks from old blocking queries upon consul reload. This fixes issue #3018
8 years ago
add flag to allow /operator/keyring requests to only hit local servers (#6279) Add parameter local-only to operator keyring list requests to force queries to only hit local servers (no WAN traffic). HTTP API: GET /operator/keyring?local-only=true CLI: consul keyring -list --local-only Sending the local-only flag with any non-GET/list request will result in an error.
5 years ago
// LocalOnly is used in keyring list operation to force the keyring
// query to only hit local servers (no WAN traffic).
LocalOnly bool
api: change Connect to a query option
7 years ago
// Connect filters prepared query execution to only include Connect-capable
// services. This currently affects prepared query execution.
Connect bool
Expands and rework context support in the API client. (#3273)
7 years ago
// ctx is an optional context pass through to the underlying HTTP
// request layer. Use Context() and WithContext() to manage this.
ctx context.Context
Implement data filtering of some endpoints (#5579) Fixes: #4222 # Data Filtering This PR will implement filtering for the following endpoints: ## Supported HTTP Endpoints - `/agent/checks` - `/agent/services` - `/catalog/nodes` - `/catalog/service/:service` - `/catalog/connect/:service` - `/catalog/node/:node` - `/health/node/:node` - `/health/checks/:service` - `/health/service/:service` - `/health/connect/:service` - `/health/state/:state` - `/internal/ui/nodes` - `/internal/ui/services` More can be added going forward and any endpoint which is used to list some data is a good candidate. ## Usage When using the HTTP API a `filter` query parameter can be used to pass a filter expression to Consul. Filter Expressions take the general form of: ``` <selector> == <value> <selector> != <value> <value> in <selector> <value> not in <selector> <selector> contains <value> <selector> not contains <value> <selector> is empty <selector> is not empty not <other expression> <expression 1> and <expression 2> <expression 1> or <expression 2> ``` Normal boolean logic and precedence is supported. All of the actual filtering and evaluation logic is coming from the [go-bexpr](https://github.com/hashicorp/go-bexpr) library ## Other changes Adding the `Internal.ServiceDump` RPC endpoint. This will allow the UI to filter services better.
6 years ago
// Filter requests filtering data prior to it being returned. The string
// is a go-bexpr compatible expression.
Filter string
Expands and rework context support in the API client. (#3273)
7 years ago
}
func (o *QueryOptions) Context() context.Context {
if o != nil && o.ctx != nil {
return o.ctx
}
return context.Background()
}
func (o *QueryOptions) WithContext(ctx context.Context) *QueryOptions {
o2 := new(QueryOptions)
if o != nil {
*o2 = *o
}
o2.ctx = ctx
return o2
api: initial import from armon/consul-api
10 years ago
}
// WriteOptions are used to parameterize a write
type WriteOptions struct {
Add Namespace as an api query/write option (#6551)
5 years ago
// Namespace overrides the `default` namespace
// Note: Namespaces are available only in Consul Enterprise
Namespace string
api: initial import from armon/consul-api
10 years ago
// Providing a datacenter overwrites the DC provided
// by the Config
Datacenter string
// Token is used to provide a per-request ACL token
// which overrides the agent's default token.
Token string
Convert keyring command to use base.Command
8 years ago
Spelling (#3958) * spelling: another * spelling: autopilot * spelling: beginning * spelling: circonus * spelling: default * spelling: definition * spelling: distance * spelling: encountered * spelling: enterprise * spelling: expands * spelling: exits * spelling: formatting * spelling: health * spelling: hierarchy * spelling: imposed * spelling: independence * spelling: inspect * spelling: last * spelling: latest * spelling: client * spelling: message * spelling: minimum * spelling: notify * spelling: nonexistent * spelling: operator * spelling: payload * spelling: preceded * spelling: prepared * spelling: programmatically * spelling: required * spelling: reconcile * spelling: responses * spelling: request * spelling: response * spelling: results * spelling: retrieve * spelling: service * spelling: significantly * spelling: specifies * spelling: supported * spelling: synchronization * spelling: synchronous * spelling: themselves * spelling: unexpected * spelling: validations * spelling: value
7 years ago
// RelayFactor is used in keyring operations to cause responses to be
Convert keyring command to use base.Command
8 years ago
// relayed back to the sender through N other random nodes. Must be
// a value from 0 to 5 (inclusive).
RelayFactor uint8
Expands and rework context support in the API client. (#3273)
7 years ago
// ctx is an optional context pass through to the underlying HTTP
// request layer. Use Context() and WithContext() to manage this.
ctx context.Context
}
func (o *WriteOptions) Context() context.Context {
if o != nil && o.ctx != nil {
return o.ctx
}
return context.Background()
}
func (o *WriteOptions) WithContext(ctx context.Context) *WriteOptions {
o2 := new(WriteOptions)
if o != nil {
*o2 = *o
}
o2.ctx = ctx
return o2
api: initial import from armon/consul-api
10 years ago
}
// QueryMeta is used to return meta data about a query
type QueryMeta struct {
// LastIndex. This can be used as a WaitIndex to perform
// a blocking query
LastIndex uint64
Basic `watch` support for connect proxy config and certificate endpoints. - Includes some bug fixes for previous `api` work and `agent` that weren't tested - Needed somewhat pervasive changes to support hash based blocking - some TODOs left in our watch toolchain that will explicitly fail on hash-based watches. - Integration into `connect` is partially done here but still WIP
7 years ago
// LastContentHash. This can be used as a WaitHash to perform a blocking query
// for endpoints that support hash-based blocking. Endpoints that do not
// support it will return an empty hash.
LastContentHash string
api: initial import from armon/consul-api
10 years ago
// Time of last contact from the leader for the
// server servicing the request
LastContact time.Duration
// Is there a known leader
KnownLeader bool
// How long did the request take
RequestTime time.Duration
Adds an `X-Consul-Translate-Addresses` to signal translation is enabled.
8 years ago
// Is address translation enabled for HTTP responses on this agent
AddressTranslationEnabled bool
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
6 years ago
// CacheHit is true if the result was served from agent-local cache.
CacheHit bool
// CacheAge is set if request was ?cached and indicates how stale the cached
// response is.
CacheAge time.Duration
agent: return the default ACL policy to callers as a header (#9101) Header is: X-Consul-Default-ACL-Policy=<allow|deny> This is of particular utility when fetching matching intentions, as the fallthrough for a request that doesn't match any intentions is to enforce using the default acl policy.
4 years ago
// DefaultACLPolicy is used to control the ACL interaction when there is no
// defined policy. This can be "allow" which means ACLs are used to
// deny-list, or "deny" which means ACLs are allow-lists.
DefaultACLPolicy string
api: initial import from armon/consul-api
10 years ago
}
// WriteMeta is used to return meta data about a write
type WriteMeta struct {
// How long did the request take
RequestTime time.Duration
}
Import HTTP basic auth patch from armon/consul-api#16
10 years ago
// HttpBasicAuth is used to authenticate http client with HTTP Basic Authentication
type HttpBasicAuth struct {
// Username to use for HTTP Basic Authentication
Username string
// Password to use for HTTP Basic Authentication
Password string
}
api: initial import from armon/consul-api
10 years ago
// Config is used to configure the creation of a client
type Config struct {
// Address is the address of the Consul server
Address string
// Scheme is the URI scheme for the Consul server
Scheme string
// Datacenter to use. If not provided, the default agent datacenter is used.
Datacenter string
Make the API client's httpClient more pluggable (#2926)
8 years ago
// Transport is the Transport to use for the http client.
Transport *http.Transport
api: initial import from armon/consul-api
10 years ago
// HttpClient is the client to use. Default will be
// used if not provided.
HttpClient *http.Client
Import HTTP basic auth patch from armon/consul-api#16
10 years ago
// HttpAuth is the auth info to use for http access.
HttpAuth *HttpBasicAuth
api: initial import from armon/consul-api
10 years ago
// WaitTime limits how long a Watch will block. If not provided,
// the agent default values will be used.
WaitTime time.Duration
// Token is used to provide a per-request ACL token
// which overrides the agent's default token.
Token string
Add tls client options to api/cli
8 years ago
acl: adding support for kubernetes auth provider login (#5600) * auth providers * binding rules * auth provider for kubernetes * login/logout
6 years ago
// TokenFile is a file containing the current token to use for this client.
// If provided it is read once at startup and never again.
TokenFile string
OSS KV Modifications to Support Namespaces
5 years ago
// Namespace is the name of the namespace to send along for the request
Revert "Add namespace support for metrics (OSS) (#9117)" (#9124) This reverts commit 06b3b017d326853dbb53bc0ec08ce371265c5ce9.
4 years ago
// when no other Namespace ispresent in the QueryOptions
OSS KV Modifications to Support Namespaces
5 years ago
Namespace string
Add tls client options to api/cli
8 years ago
TLSConfig TLSConfig
api: initial import from armon/consul-api
10 years ago
}
Adds TLS config helper to API client.
9 years ago
// TLSConfig is used to generate a TLSClientConfig that's useful for talking to
// Consul using TLS.
type TLSConfig struct {
Improves the comment for the Address field.
9 years ago
// Address is the optional address of the Consul server. The port, if any
// will be removed from here and this will be set to the ServerName of the
// resulting config.
Adds TLS config helper to API client.
9 years ago
Address string
// CAFile is the optional path to the CA certificate used for Consul
// communication, defaults to the system bundle if not specified.
CAFile string
Add tls client options to api/cli
8 years ago
// CAPath is the optional path to a directory of CA certificates to use for
// Consul communication, defaults to the system bundle if not specified.
CAPath string
api: add option to set TLS options in-memory for API client (#7093) This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800
5 years ago
// CAPem is the optional PEM-encoded CA certificate used for Consul
// communication, defaults to the system bundle if not specified.
CAPem []byte
Adds TLS config helper to API client.
9 years ago
// CertFile is the optional path to the certificate for Consul
// communication. If this is set then you need to also set KeyFile.
CertFile string
api: add option to set TLS options in-memory for API client (#7093) This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800
5 years ago
// CertPEM is the optional PEM-encoded certificate for Consul
// communication. If this is set then you need to also set KeyPEM.
CertPEM []byte
Adds TLS config helper to API client.
9 years ago
// KeyFile is the optional path to the private key for Consul communication.
// If this is set then you need to also set CertFile.
KeyFile string
api: add option to set TLS options in-memory for API client (#7093) This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800
5 years ago
// KeyPEM is the optional PEM-encoded private key for Consul communication.
// If this is set then you need to also set CertPEM.
KeyPEM []byte
Adds TLS config helper to API client.
9 years ago
// InsecureSkipVerify if set to true will disable TLS host verification.
InsecureSkipVerify bool
}
Switches default for API client to pooled connections.
9 years ago
// DefaultConfig returns a default configuration for the client. By default this
// will pool and reuse idle connections to Consul. If you have a long-lived
// client object, this is the desired behavior and should make the most efficient
Remove wrong space character (#4910) There should be no space before a comma
6 years ago
// use of the connections to Consul. If you don't reuse a client object, which
Switches default for API client to pooled connections.
9 years ago
// is not recommended, then you may notice idle connections building up over
// time. To avoid this, use the DefaultNonPooledConfig() instead.
api: initial import from armon/consul-api
10 years ago
func DefaultConfig() *Config {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
return defaultConfig(nil, cleanhttp.DefaultPooledTransport)
}
// DefaultConfigWithLogger returns a default configuration for the client. It
// is exactly the same as DefaultConfig, but allows for a pre-configured logger
// object to be passed through.
func DefaultConfigWithLogger(logger hclog.Logger) *Config {
return defaultConfig(logger, cleanhttp.DefaultPooledTransport)
Switches default for API client to pooled connections.
9 years ago
}
// DefaultNonPooledConfig returns a default configuration for the client which
// does not pool connections. This isn't a recommended configuration because it
// will reconnect to Consul on every request, but this is useful to avoid the
// accumulation of idle connections if you make many client objects during the
// lifetime of your application.
func DefaultNonPooledConfig() *Config {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
return defaultConfig(nil, cleanhttp.DefaultTransport)
Switches default for API client to pooled connections.
9 years ago
}
// defaultConfig returns the default configuration for the client, using the
// given function to make the transport.
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
func defaultConfig(logger hclog.Logger, transportFn func() *http.Transport) *Config {
if logger == nil {
logger = hclog.New(&hclog.LoggerOptions{
Name: "consul-api",
})
}
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
config := &Config{
golint: Untangle if blocks with return in else
8 years ago
Address: "127.0.0.1:8500",
Scheme: "http",
Make the API client's httpClient more pluggable (#2926)
8 years ago
Transport: transportFn(),
api: initial import from armon/consul-api
10 years ago
}
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
Remove redundant hardcoded environment variables The following hardcoded environment variables are removed: * CONSUL_RPC_ADDR * CONSUL_HTTP_ADDR
8 years ago
if addr := os.Getenv(HTTPAddrEnvName); addr != "" {
agent: beginning refactor
10 years ago
config.Address = addr
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
}
acl: adding support for kubernetes auth provider login (#5600) * auth providers * binding rules * auth provider for kubernetes * login/logout
6 years ago
if tokenFile := os.Getenv(HTTPTokenFileEnvName); tokenFile != "" {
config.TokenFile = tokenFile
}
Add api environment variables as constants for consistency
8 years ago
if token := os.Getenv(HTTPTokenEnvName); token != "" {
Read select environment variables when generating the default configuration
10 years ago
config.Token = token
}
Add api environment variables as constants for consistency
8 years ago
if auth := os.Getenv(HTTPAuthEnvName); auth != "" {
Read select environment variables when generating the default configuration
10 years ago
var username, password string
if strings.Contains(auth, ":") {
split := strings.SplitN(auth, ":", 2)
username = split[0]
password = split[1]
} else {
username = auth
}
config.HttpAuth = &HttpBasicAuth{
Username: username,
Password: password,
}
}
Add api environment variables as constants for consistency
8 years ago
if ssl := os.Getenv(HTTPSSLEnvName); ssl != "" {
Read select environment variables when generating the default configuration
10 years ago
enabled, err := strconv.ParseBool(ssl)
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
logger.Warn(fmt.Sprintf("could not parse %s", HTTPSSLEnvName), "error", err)
Read select environment variables when generating the default configuration
10 years ago
}
if enabled {
config.Scheme = "https"
}
}
Add tls client options to api/cli
8 years ago
if v := os.Getenv(HTTPTLSServerName); v != "" {
config.TLSConfig.Address = v
}
if v := os.Getenv(HTTPCAFile); v != "" {
config.TLSConfig.CAFile = v
}
if v := os.Getenv(HTTPCAPath); v != "" {
config.TLSConfig.CAPath = v
}
if v := os.Getenv(HTTPClientCert); v != "" {
config.TLSConfig.CertFile = v
}
if v := os.Getenv(HTTPClientKey); v != "" {
config.TLSConfig.KeyFile = v
}
if v := os.Getenv(HTTPSSLVerifyEnvName); v != "" {
doVerify, err := strconv.ParseBool(v)
Read select environment variables when generating the default configuration
10 years ago
if err != nil {
Allow users to configure either unstructured or JSON logging (#7130) * hclog Allow users to choose between unstructured and JSON logging
5 years ago
logger.Warn(fmt.Sprintf("could not parse %s", HTTPSSLVerifyEnvName), "error", err)
Read select environment variables when generating the default configuration
10 years ago
}
if !doVerify {
Add tls client options to api/cli
8 years ago
config.TLSConfig.InsecureSkipVerify = true
Read select environment variables when generating the default configuration
10 years ago
}
}
Change how namespaces are specified for the CLI (#6960)
5 years ago
if v := os.Getenv(HTTPNamespaceEnvName); v != "" {
config.Namespace = v
}
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
return config
api: initial import from armon/consul-api
10 years ago
}
Adds TLS config helper to API client.
9 years ago
// TLSConfig is used to generate a TLSClientConfig that's useful for talking to
// Consul using TLS.
func SetupTLSConfig(tlsConfig *TLSConfig) (*tls.Config, error) {
tlsClientConfig := &tls.Config{
InsecureSkipVerify: tlsConfig.InsecureSkipVerify,
}
if tlsConfig.Address != "" {
server := tlsConfig.Address
hasPort := strings.LastIndex(server, ":") > strings.LastIndex(server, "]")
if hasPort {
var err error
server, _, err = net.SplitHostPort(server)
if err != nil {
return nil, err
}
}
tlsClientConfig.ServerName = server
}
api: add option to set TLS options in-memory for API client (#7093) This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800
5 years ago
if len(tlsConfig.CertPEM) != 0 && len(tlsConfig.KeyPEM) != 0 {
tlsCert, err := tls.X509KeyPair(tlsConfig.CertPEM, tlsConfig.KeyPEM)
if err != nil {
return nil, err
}
tlsClientConfig.Certificates = []tls.Certificate{tlsCert}
} else if len(tlsConfig.CertPEM) != 0 || len(tlsConfig.KeyPEM) != 0 {
return nil, fmt.Errorf("both client cert and client key must be provided")
}
Adds TLS config helper to API client.
9 years ago
if tlsConfig.CertFile != "" && tlsConfig.KeyFile != "" {
tlsCert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
if err != nil {
return nil, err
}
tlsClientConfig.Certificates = []tls.Certificate{tlsCert}
api: add option to set TLS options in-memory for API client (#7093) This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800
5 years ago
} else if tlsConfig.CertFile != "" || tlsConfig.KeyFile != "" {
return nil, fmt.Errorf("both client cert and client key must be provided")
Adds TLS config helper to API client.
9 years ago
}
api: add option to set TLS options in-memory for API client (#7093) This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800
5 years ago
if tlsConfig.CAFile != "" || tlsConfig.CAPath != "" || len(tlsConfig.CAPem) != 0 {
Adds enable_agent_tls_for_checks configuration option which allows (#3661) HTTP health checks for services requiring 2-way TLS to be checked using the agent's credentials.
7 years ago
rootConfig := &rootcerts.Config{
api: add option to set TLS options in-memory for API client (#7093) This PR adds the option to set in-memory certificates to the API client instead of requiring the certificate to be stored on disk in a file. This allows us to define API client TLS options per Consul secret backend in Vault. Related issue hashicorp/vault#4800
5 years ago
CAFile: tlsConfig.CAFile,
CAPath: tlsConfig.CAPath,
CACertificate: tlsConfig.CAPem,
Adds enable_agent_tls_for_checks configuration option which allows (#3661) HTTP health checks for services requiring 2-way TLS to be checked using the agent's credentials.
7 years ago
}
if err := rootcerts.ConfigureTLS(tlsClientConfig, rootConfig); err != nil {
return nil, err
}
Adds TLS config helper to API client.
9 years ago
}
return tlsClientConfig, nil
}
Pass around an API Config object and convert to env vars for the managed proxy
6 years ago
func (c *Config) GenerateEnv() []string {
PR Updates Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config.
6 years ago
env := make([]string, 0, 10)
env = append(env,
fmt.Sprintf("%s=%s", HTTPAddrEnvName, c.Address),
fmt.Sprintf("%s=%s", HTTPTokenEnvName, c.Token),
acl: adding support for kubernetes auth provider login (#5600) * auth providers * binding rules * auth provider for kubernetes * login/logout
6 years ago
fmt.Sprintf("%s=%s", HTTPTokenFileEnvName, c.TokenFile),
PR Updates Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config.
6 years ago
fmt.Sprintf("%s=%t", HTTPSSLEnvName, c.Scheme == "https"),
fmt.Sprintf("%s=%s", HTTPCAFile, c.TLSConfig.CAFile),
fmt.Sprintf("%s=%s", HTTPCAPath, c.TLSConfig.CAPath),
fmt.Sprintf("%s=%s", HTTPClientCert, c.TLSConfig.CertFile),
fmt.Sprintf("%s=%s", HTTPClientKey, c.TLSConfig.KeyFile),
fmt.Sprintf("%s=%s", HTTPTLSServerName, c.TLSConfig.Address),
fmt.Sprintf("%s=%t", HTTPSSLVerifyEnvName, !c.TLSConfig.InsecureSkipVerify))
Pass around an API Config object and convert to env vars for the managed proxy
6 years ago
if c.HttpAuth != nil {
PR Updates Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config.
6 years ago
env = append(env, fmt.Sprintf("%s=%s:%s", HTTPAuthEnvName, c.HttpAuth.Username, c.HttpAuth.Password))
Pass around an API Config object and convert to env vars for the managed proxy
6 years ago
} else {
PR Updates Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config.
6 years ago
env = append(env, fmt.Sprintf("%s=", HTTPAuthEnvName))
Pass around an API Config object and convert to env vars for the managed proxy
6 years ago
}
return env
}
api: initial import from armon/consul-api
10 years ago
// Client provides a client to the Consul API
type Client struct {
config Config
}
// NewClient returns a new client
func NewClient(config *Config) (*Client, error) {
// bootstrap the config
defConfig := DefaultConfig()
Step 3: fix a bug in api.NewClient and fix the tests The api client should never rever to HTTP if the user explicitly requested TLS. This change broke some tests because the tests always use an non-TLS http server, but some tests explicitly enable TLS.
5 years ago
if config.Address == "" {
api: initial import from armon/consul-api
10 years ago
config.Address = defConfig.Address
}
Step 3: fix a bug in api.NewClient and fix the tests The api client should never rever to HTTP if the user explicitly requested TLS. This change broke some tests because the tests always use an non-TLS http server, but some tests explicitly enable TLS.
5 years ago
if config.Scheme == "" {
api: initial import from armon/consul-api
10 years ago
config.Scheme = defConfig.Scheme
}
Make the API client's httpClient more pluggable (#2926)
8 years ago
if config.Transport == nil {
config.Transport = defConfig.Transport
}
Add tls client options to api/cli
8 years ago
if config.TLSConfig.Address == "" {
config.TLSConfig.Address = defConfig.TLSConfig.Address
}
if config.TLSConfig.CAFile == "" {
config.TLSConfig.CAFile = defConfig.TLSConfig.CAFile
}
if config.TLSConfig.CAPath == "" {
config.TLSConfig.CAPath = defConfig.TLSConfig.CAPath
}
if config.TLSConfig.CertFile == "" {
config.TLSConfig.CertFile = defConfig.TLSConfig.CertFile
}
if config.TLSConfig.KeyFile == "" {
config.TLSConfig.KeyFile = defConfig.TLSConfig.KeyFile
}
if !config.TLSConfig.InsecureSkipVerify {
config.TLSConfig.InsecureSkipVerify = defConfig.TLSConfig.InsecureSkipVerify
}
Make the API client's httpClient more pluggable (#2926)
8 years ago
if config.HttpClient == nil {
var err error
config.HttpClient, err = NewHttpClient(config.Transport, config.TLSConfig)
if err != nil {
return nil, err
}
Add tls client options to api/cli
8 years ago
}
Allow prefixing -http-addr with http/https schemes
8 years ago
parts := strings.SplitN(config.Address, "://", 2)
if len(parts) == 2 {
Update docs and give better error for unknown client scheme
8 years ago
switch parts[0] {
case "http":
Step 3: fix a bug in api.NewClient and fix the tests The api client should never rever to HTTP if the user explicitly requested TLS. This change broke some tests because the tests always use an non-TLS http server, but some tests explicitly enable TLS.
5 years ago
// Never revert to http if TLS was explicitly requested.
Update docs and give better error for unknown client scheme
8 years ago
case "https":
Allow prefixing -http-addr with http/https schemes
8 years ago
config.Scheme = "https"
Update docs and give better error for unknown client scheme
8 years ago
case "unix":
Allow prefixing -http-addr with http/https schemes
8 years ago
trans := cleanhttp.DefaultTransport()
Update unix dial functions to use DialContext with new go-cleanhttp
8 years ago
trans.DialContext = func(_ context.Context, _, _ string) (net.Conn, error) {
Allow prefixing -http-addr with http/https schemes
8 years ago
return net.Dial("unix", parts[1])
}
api: create fresh http client for unix sockets (#8602) Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
4 years ago
httpClient, err := NewHttpClient(trans, config.TLSConfig)
if err != nil {
return nil, err
Allow prefixing -http-addr with http/https schemes
8 years ago
}
api: create fresh http client for unix sockets (#8602) Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
4 years ago
config.HttpClient = httpClient
Update docs and give better error for unknown client scheme
8 years ago
default:
return nil, fmt.Errorf("Unknown protocol scheme: %s", parts[0])
Adds client and transport pooling in the API so we don't leak connections.
9 years ago
}
Revert "Adds client and transport pooling in the API so we don't leak connections."
9 years ago
config.Address = parts[1]
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
}
acl: adding support for kubernetes auth provider login (#5600) * auth providers * binding rules * auth provider for kubernetes * login/logout
6 years ago
// If the TokenFile is set, always use that, even if a Token is configured.
// This is because when TokenFile is set it is read into the Token field.
// We want any derived clients to have to re-read the token file.
if config.TokenFile != "" {
data, err := ioutil.ReadFile(config.TokenFile)
if err != nil {
return nil, fmt.Errorf("Error loading token file: %s", err)
}
if token := strings.TrimSpace(string(data)); token != "" {
config.Token = token
}
}
Fix bug with unused (replaced with "") CONSUL_HTTP_AUTH in some places example: https://github.com/hashicorp/consul/blob/master/watch/plan.go#L26 conf := consulapi.DefaultConfig() conf.Address = address conf.Datacenter = p.Datacenter conf.Token = p.Token # <-- replace Token from DefaultConfig/CONSUL_HTTP_AUTH with "" client, err := consulapi.NewClient(conf) how to reproduce bug: 0. consul -> localhost:8500 with more than 0 service checks 1. deny all for anonymous token 2. create appropriate acl <token> for watch checks (agent:read + node:read,service:read) 3. bash: CONSUL_HTTP_AUTH=<token> consul watch -http-addr=localhost:8500 -type=checks # --> return [] consul watch -http-addr=localhost:8500 -type=checks -token=<token> # -> return { .... right json result .... }
7 years ago
if config.Token == "" {
config.Token = defConfig.Token
}
Add rpc_listener option to segment config
7 years ago
New config parser, HCL support, multiple bind addrs (#3480) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt
7 years ago
return &Client{config: *config}, nil
api: initial import from armon/consul-api
10 years ago
}
Make the API client's httpClient more pluggable (#2926)
8 years ago
// NewHttpClient returns an http client configured with the given Transport and TLS
// config.
func NewHttpClient(transport *http.Transport, tlsConf TLSConfig) (*http.Client, error) {
client := &http.Client{
Transport: transport,
}
Adds HTTP/2 support to Consul's HTTPS server. (#3657) * Refactors the HTTP listen path to create servers in the same spot. * Adds HTTP/2 support to Consul's HTTPS server. * Vendors Go HTTP/2 library and associated deps.
7 years ago
// TODO (slackpad) - Once we get some run time on the HTTP/2 support we
// should turn it on by default if TLS is enabled. We would basically
// just need to call http2.ConfigureTransport(transport) here. We also
// don't want to introduce another external dependency on
// golang.org/x/net/http2 at this time. For a complete recipe for how
// to enable HTTP/2 support on a transport suitable for the API client
// library see agent/http_test.go:TestHTTPServer_H2.
Don't overwrite Transport's TLS config if it's been set
8 years ago
if transport.TLSClientConfig == nil {
tlsClientConfig, err := SetupTLSConfig(&tlsConf)
if err != nil {
return nil, err
}
transport.TLSClientConfig = tlsClientConfig
}
Make the API client's httpClient more pluggable (#2926)
8 years ago
return client, nil
}
api: initial import from armon/consul-api
10 years ago
// request is used to help build up a request
type request struct {
config *Config
method string
url *url.URL
params url.Values
body io.Reader
Use header to send Consul token rather than query param.
8 years ago
header http.Header
api: initial import from armon/consul-api
10 years ago
obj interface{}
Fix socket file handle leaks from old blocking queries upon consul reload. This fixes issue #3018
8 years ago
ctx context.Context
api: initial import from armon/consul-api
10 years ago
}
// setQueryOptions is used to annotate the request with
// additional query options
func (r *request) setQueryOptions(q *QueryOptions) {
if q == nil {
return
}
Add Namespace as an api query/write option (#6551)
5 years ago
if q.Namespace != "" {
r.params.Set("ns", q.Namespace)
}
api: initial import from armon/consul-api
10 years ago
if q.Datacenter != "" {
r.params.Set("dc", q.Datacenter)
}
if q.AllowStale {
r.params.Set("stale", "")
}
if q.RequireConsistent {
r.params.Set("consistent", "")
}
if q.WaitIndex != 0 {
r.params.Set("index", strconv.FormatUint(q.WaitIndex, 10))
}
if q.WaitTime != 0 {
r.params.Set("wait", durToMsec(q.WaitTime))
}
Adds `api` client code and tests for new Proxy Config endpoint, registering with proxy and seeing proxy config in /agent/services list.
7 years ago
if q.WaitHash != "" {
r.params.Set("hash", q.WaitHash)
}
api: initial import from armon/consul-api
10 years ago
if q.Token != "" {
Use header to send Consul token rather than query param.
8 years ago
r.header.Set("X-Consul-Token", q.Token)
api: initial import from armon/consul-api
10 years ago
}
Adds support for coordinates to client API.
9 years ago
if q.Near != "" {
r.params.Set("near", q.Near)
}
Implement data filtering of some endpoints (#5579) Fixes: #4222 # Data Filtering This PR will implement filtering for the following endpoints: ## Supported HTTP Endpoints - `/agent/checks` - `/agent/services` - `/catalog/nodes` - `/catalog/service/:service` - `/catalog/connect/:service` - `/catalog/node/:node` - `/health/node/:node` - `/health/checks/:service` - `/health/service/:service` - `/health/connect/:service` - `/health/state/:state` - `/internal/ui/nodes` - `/internal/ui/services` More can be added going forward and any endpoint which is used to list some data is a good candidate. ## Usage When using the HTTP API a `filter` query parameter can be used to pass a filter expression to Consul. Filter Expressions take the general form of: ``` <selector> == <value> <selector> != <value> <value> in <selector> <value> not in <selector> <selector> contains <value> <selector> not contains <value> <selector> is empty <selector> is not empty not <other expression> <expression 1> and <expression 2> <expression 1> or <expression 2> ``` Normal boolean logic and precedence is supported. All of the actual filtering and evaluation logic is coming from the [go-bexpr](https://github.com/hashicorp/go-bexpr) library ## Other changes Adding the `Internal.ServiceDump` RPC endpoint. This will allow the UI to filter services better.
6 years ago
if q.Filter != "" {
r.params.Set("filter", q.Filter)
}
Update client api and docs for node metadata
8 years ago
if len(q.NodeMeta) > 0 {
for key, value := range q.NodeMeta {
r.params.Add("node-meta", key+":"+value)
}
}
Convert keyring command to use base.Command
8 years ago
if q.RelayFactor != 0 {
r.params.Set("relay-factor", strconv.Itoa(int(q.RelayFactor)))
}
add flag to allow /operator/keyring requests to only hit local servers (#6279) Add parameter local-only to operator keyring list requests to force queries to only hit local servers (no WAN traffic). HTTP API: GET /operator/keyring?local-only=true CLI: consul keyring -list --local-only Sending the local-only flag with any non-GET/list request will result in an error.
5 years ago
if q.LocalOnly {
r.params.Set("local-only", fmt.Sprintf("%t", q.LocalOnly))
}
api: change Connect to a query option
7 years ago
if q.Connect {
r.params.Set("connect", "true")
}
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
6 years ago
if q.UseCache && !q.RequireConsistent {
r.params.Set("cached", "")
cc := []string{}
if q.MaxAge > 0 {
cc = append(cc, fmt.Sprintf("max-age=%.0f", q.MaxAge.Seconds()))
}
if q.StaleIfError > 0 {
cc = append(cc, fmt.Sprintf("stale-if-error=%.0f", q.StaleIfError.Seconds()))
}
if len(cc) > 0 {
r.header.Set("Cache-Control", strings.Join(cc, ", "))
}
}
Prune Unhealthy Agents (#6571) * Add -prune flag to ForceLeave
5 years ago
Expands and rework context support in the API client. (#3273)
7 years ago
r.ctx = q.ctx
api: initial import from armon/consul-api
10 years ago
}
Makes the API behave better with small wait values.
9 years ago
// durToMsec converts a duration to a millisecond specified string. If the
// user selected a positive value that rounds to 0 ms, then we will use 1 ms
// so they get a short delay, otherwise Consul will translate the 0 ms into
// a huge default delay.
api: initial import from armon/consul-api
10 years ago
func durToMsec(dur time.Duration) string {
Makes the API behave better with small wait values.
9 years ago
ms := dur / time.Millisecond
if dur > 0 && ms == 0 {
ms = 1
}
return fmt.Sprintf("%dms", ms)
api: initial import from armon/consul-api
10 years ago
}
Factors server error checking into a new function.
9 years ago
// serverError is a string we look for to detect 500 errors.
const serverError = "Unexpected response code: 500"
retry locks on network errors (#3553) * retry locks on network errors When communicating with a local agent and watching a lock, a dropped connection between the agent and server will show up as a server error and immediately be retried. However if the client is connected to a remote server, a dropped connection immediately aborts the lock. * Updates comment about it being unsafe for writes.
7 years ago
// IsRetryableError returns true for 500 errors from the Consul servers, and
// network connection errors. These are usually retryable at a later time.
// This applies to reads but NOT to writes. This may return true for errors
// on writes that may have still gone through, so do not use this to retry
// any write operations.
func IsRetryableError(err error) bool {
Factors server error checking into a new function.
9 years ago
if err == nil {
return false
}
retry locks on network errors (#3553) * retry locks on network errors When communicating with a local agent and watching a lock, a dropped connection between the agent and server will show up as a server error and immediately be retried. However if the client is connected to a remote server, a dropped connection immediately aborts the lock. * Updates comment about it being unsafe for writes.
7 years ago
if _, ok := err.(net.Error); ok {
return true
}
Factors server error checking into a new function.
9 years ago
// TODO (slackpad) - Make a real error type here instead of using
// a string check.
return strings.Contains(err.Error(), serverError)
}
api: initial import from armon/consul-api
10 years ago
// setWriteOptions is used to annotate the request with
// additional write options
func (r *request) setWriteOptions(q *WriteOptions) {
if q == nil {
return
}
Add Namespace as an api query/write option (#6551)
5 years ago
if q.Namespace != "" {
r.params.Set("ns", q.Namespace)
}
api: initial import from armon/consul-api
10 years ago
if q.Datacenter != "" {
r.params.Set("dc", q.Datacenter)
}
if q.Token != "" {
Use header to send Consul token rather than query param.
8 years ago
r.header.Set("X-Consul-Token", q.Token)
api: initial import from armon/consul-api
10 years ago
}
Convert keyring command to use base.Command
8 years ago
if q.RelayFactor != 0 {
Cleanup and formatting adjustments
8 years ago
r.params.Set("relay-factor", strconv.Itoa(int(q.RelayFactor)))
Convert keyring command to use base.Command
8 years ago
}
Expands and rework context support in the API client. (#3273)
7 years ago
r.ctx = q.ctx
api: initial import from armon/consul-api
10 years ago
}
// toHTTP converts the request to an HTTP request
func (r *request) toHTTP() (*http.Request, error) {
// Encode the query parameters
r.url.RawQuery = r.params.Encode()
// Check if we should encode the body
if r.body == nil && r.obj != nil {
golint: Untangle if blocks with return in else
8 years ago
b, err := encodeBody(r.obj)
if err != nil {
api: initial import from armon/consul-api
10 years ago
return nil, err
}
golint: Untangle if blocks with return in else
8 years ago
r.body = b
api: initial import from armon/consul-api
10 years ago
}
// Create the HTTP request
RPC and HTTP interfaces fully generically-sockified so Unix is supported. Client works for RPC; will honor CONSUL_RPC_ADDR. HTTP works via consul/api; honors CONSUL_HTTP_ADDR. The format of a Unix socket in configuration data is: "unix://[/path/to/socket];[username or uid];[gid];[mode]" Obviously, the user must have appropriate permissions to create the socket file in the given path and assign the requested uid/gid. Also note that Go does not support gid lookups from group name, so gid must be numeric. See https://codereview.appspot.com/101310044 When connecting from the client, the format is just the first part of the above line: "unix://[/path/to/socket]" This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
req, err := http.NewRequest(r.method, r.url.RequestURI(), r.body)
if err != nil {
return nil, err
}
req.URL.Host = r.url.Host
req.URL.Scheme = r.url.Scheme
req.Host = r.url.Host
Use header to send Consul token rather than query param.
8 years ago
req.Header = r.header
Import HTTP basic auth patch from armon/consul-api#16
10 years ago
// Setup auth
Ensure a socket is created for permissions adjustment tests and fix some items pointed out in the code review This code is copyright 2014 Akamai Technologies, Inc. <opensource@akamai.com>
10 years ago
if r.config.HttpAuth != nil {
Import HTTP basic auth patch from armon/consul-api#16
10 years ago
req.SetBasicAuth(r.config.HttpAuth.Username, r.config.HttpAuth.Password)
}
Fix socket file handle leaks from old blocking queries upon consul reload. This fixes issue #3018
8 years ago
if r.ctx != nil {
return req.WithContext(r.ctx), nil
}
remove golint warnings
7 years ago
return req, nil
api: initial import from armon/consul-api
10 years ago
}
// newRequest is used to create a new request
func (c *Client) newRequest(method, path string) *request {
r := &request{
config: &c.config,
method: method,
url: &url.URL{
Scheme: c.config.Scheme,
Host: c.config.Address,
Path: path,
},
params: make(map[string][]string),
Use header to send Consul token rather than query param.
8 years ago
header: make(http.Header),
api: initial import from armon/consul-api
10 years ago
}
if c.config.Datacenter != "" {
r.params.Set("dc", c.config.Datacenter)
}
OSS KV Modifications to Support Namespaces
5 years ago
if c.config.Namespace != "" {
r.params.Set("ns", c.config.Namespace)
}
api: initial import from armon/consul-api
10 years ago
if c.config.WaitTime != 0 {
r.params.Set("wait", durToMsec(r.config.WaitTime))
}
if c.config.Token != "" {
Use header to send Consul token rather than query param.
8 years ago
r.header.Set("X-Consul-Token", r.config.Token)
api: initial import from armon/consul-api
10 years ago
}
return r
}
// doRequest runs a request with our client
func (c *Client) doRequest(r *request) (time.Duration, *http.Response, error) {
req, err := r.toHTTP()
if err != nil {
return 0, nil, err
}
start := time.Now()
resp, err := c.config.HttpClient.Do(req)
Replace time.Now().Sub(x) with time.Since(x)
7 years ago
diff := time.Since(start)
api: initial import from armon/consul-api
10 years ago
return diff, resp, err
}
api: Refactoring into shared query logic
10 years ago
// Query is used to do a GET request against an endpoint
// and deserialize the response into an interface using
// standard Consul conventions.
func (c *Client) query(endpoint string, out interface{}, q *QueryOptions) (*QueryMeta, error) {
r := c.newRequest("GET", endpoint)
r.setQueryOptions(q)
Implement /v1/agent/health/service/<service name> endpoint (#3551) This endpoint aggregates all checks related to <service id> on the agent and return an appropriate http code + the string describing the worst check. This allows to cleanly expose service status to other component, hiding complexity of multiple checks. This is especially useful to use consul to feed a load balancer which would delegate health checking to consul agent. Exposing this endpoint on the agent is necessary to avoid a hit on consul servers and avoid decreasing resiliency (this endpoint will work even if there is no consul leader in the cluster).
6 years ago
rtt, resp, err := c.doRequest(r)
api: Refactoring into shared query logic
10 years ago
if err != nil {
return nil, err
}
defer resp.Body.Close()
qm := &QueryMeta{}
parseQueryMeta(resp, qm)
qm.RequestTime = rtt
if err := decodeBody(resp, out); err != nil {
return nil, err
}
return qm, nil
}
api: Refactoring into shared write logic
10 years ago
// write is used to do a PUT request against an endpoint
// and serialize/deserialized using the standard Consul conventions.
func (c *Client) write(endpoint string, in, out interface{}, q *WriteOptions) (*WriteMeta, error) {
r := c.newRequest("PUT", endpoint)
r.setWriteOptions(q)
r.obj = in
rtt, resp, err := requireOK(c.doRequest(r))
if err != nil {
return nil, err
}
defer resp.Body.Close()
wm := &WriteMeta{RequestTime: rtt}
if out != nil {
if err := decodeBody(resp, &out); err != nil {
return nil, err
}
Prevent Session.Destroy from leaving open TCP connections
8 years ago
} else if _, err := ioutil.ReadAll(resp.Body); err != nil {
return nil, err
api: Refactoring into shared write logic
10 years ago
}
return wm, nil
}
api: initial import from armon/consul-api
10 years ago
// parseQueryMeta is used to help parse query meta-data
acl: adding support for kubernetes auth provider login (#5600) * auth providers * binding rules * auth provider for kubernetes * login/logout
6 years ago
//
// TODO(rb): bug? the error from this function is never handled
api: initial import from armon/consul-api
10 years ago
func parseQueryMeta(resp *http.Response, q *QueryMeta) error {
header := resp.Header
Basic `watch` support for connect proxy config and certificate endpoints. - Includes some bug fixes for previous `api` work and `agent` that weren't tested - Needed somewhat pervasive changes to support hash based blocking - some TODOs left in our watch toolchain that will explicitly fail on hash-based watches. - Integration into `connect` is partially done here but still WIP
7 years ago
// Parse the X-Consul-Index (if it's set - hash based blocking queries don't
// set this)
if indexStr := header.Get("X-Consul-Index"); indexStr != "" {
index, err := strconv.ParseUint(indexStr, 10, 64)
if err != nil {
return fmt.Errorf("Failed to parse X-Consul-Index: %v", err)
}
q.LastIndex = index
api: initial import from armon/consul-api
10 years ago
}
Basic `watch` support for connect proxy config and certificate endpoints. - Includes some bug fixes for previous `api` work and `agent` that weren't tested - Needed somewhat pervasive changes to support hash based blocking - some TODOs left in our watch toolchain that will explicitly fail on hash-based watches. - Integration into `connect` is partially done here but still WIP
7 years ago
q.LastContentHash = header.Get("X-Consul-ContentHash")
api: initial import from armon/consul-api
10 years ago
// Parse the X-Consul-LastContact
last, err := strconv.ParseUint(header.Get("X-Consul-LastContact"), 10, 64)
if err != nil {
return fmt.Errorf("Failed to parse X-Consul-LastContact: %v", err)
}
q.LastContact = time.Duration(last) * time.Millisecond
// Parse the X-Consul-KnownLeader
switch header.Get("X-Consul-KnownLeader") {
case "true":
q.KnownLeader = true
default:
q.KnownLeader = false
}
Adds an `X-Consul-Translate-Addresses` to signal translation is enabled.
8 years ago
// Parse X-Consul-Translate-Addresses
switch header.Get("X-Consul-Translate-Addresses") {
case "true":
q.AddressTranslationEnabled = true
default:
q.AddressTranslationEnabled = false
}
agent: return the default ACL policy to callers as a header (#9101) Header is: X-Consul-Default-ACL-Policy=<allow|deny> This is of particular utility when fetching matching intentions, as the fallthrough for a request that doesn't match any intentions is to enforce using the default acl policy.
4 years ago
// Parse X-Consul-Default-ACL-Policy
switch v := header.Get("X-Consul-Default-ACL-Policy"); v {
case "allow", "deny":
q.DefaultACLPolicy = v
}
Adds an `X-Consul-Translate-Addresses` to signal translation is enabled.
8 years ago
Support Agent Caching for Service Discovery Results (#4541) * Add cache types for catalog/services and health/services and basic test that caching works * Support non-blocking cache types with Cache-Control semantics. * Update API docs to include caching info for every endpoint. * Comment updates per PR feedback. * Add note on caching to the 10,000 foot view on the architecture page to make the new data path more clear. * Document prepared query staleness quirk and force all background requests to AllowStale so we can spread service discovery load across servers.
6 years ago
// Parse Cache info
if cacheStr := header.Get("X-Cache"); cacheStr != "" {
q.CacheHit = strings.EqualFold(cacheStr, "HIT")
}
if ageStr := header.Get("Age"); ageStr != "" {
age, err := strconv.ParseUint(ageStr, 10, 64)
if err != nil {
return fmt.Errorf("Failed to parse Age Header: %v", err)
}
q.CacheAge = time.Duration(age) * time.Second
}
api: initial import from armon/consul-api
10 years ago
return nil
}
// decodeBody is used to JSON decode a body
func decodeBody(resp *http.Response, out interface{}) error {
dec := json.NewDecoder(resp.Body)
return dec.Decode(out)
}
// encodeBody is used to encode a request body
func encodeBody(obj interface{}) (io.Reader, error) {
buf := bytes.NewBuffer(nil)
enc := json.NewEncoder(buf)
if err := enc.Encode(obj); err != nil {
return nil, err
}
return buf, nil
}
// requireOK is used to wrap doRequest and check for a 200
func requireOK(d time.Duration, resp *http.Response, e error) (time.Duration, *http.Response, error) {
if e != nil {
fixed: requireOK should close Body on error
10 years ago
if resp != nil {
resp.Body.Close()
}
return d, nil, e
api: initial import from armon/consul-api
10 years ago
}
if resp.StatusCode != 200 {
acl: adding Roles to Tokens (#5514) Roles are named and can express the same bundle of permissions that can currently be assigned to a Token (lists of Policies and Service Identities). The difference with a Role is that it not itself a bearer token, but just another entity that can be tied to a Token. This lets an operator potentially curate a set of smaller reusable Policies and compose them together into reusable Roles, rather than always exploding that same list of Policies on any Token that needs similar permissions. This also refactors the acl replication code to be semi-generic to avoid 3x copypasta.
6 years ago
return d, nil, generateUnexpectedResponseCodeError(resp)
api: initial import from armon/consul-api
10 years ago
}
fixed: requireOK should close Body on error
10 years ago
return d, resp, nil
api: initial import from armon/consul-api
10 years ago
}
Implement data filtering of some endpoints (#5579) Fixes: #4222 # Data Filtering This PR will implement filtering for the following endpoints: ## Supported HTTP Endpoints - `/agent/checks` - `/agent/services` - `/catalog/nodes` - `/catalog/service/:service` - `/catalog/connect/:service` - `/catalog/node/:node` - `/health/node/:node` - `/health/checks/:service` - `/health/service/:service` - `/health/connect/:service` - `/health/state/:state` - `/internal/ui/nodes` - `/internal/ui/services` More can be added going forward and any endpoint which is used to list some data is a good candidate. ## Usage When using the HTTP API a `filter` query parameter can be used to pass a filter expression to Consul. Filter Expressions take the general form of: ``` <selector> == <value> <selector> != <value> <value> in <selector> <value> not in <selector> <selector> contains <value> <selector> not contains <value> <selector> is empty <selector> is not empty not <other expression> <expression 1> and <expression 2> <expression 1> or <expression 2> ``` Normal boolean logic and precedence is supported. All of the actual filtering and evaluation logic is coming from the [go-bexpr](https://github.com/hashicorp/go-bexpr) library ## Other changes Adding the `Internal.ServiceDump` RPC endpoint. This will allow the UI to filter services better.
6 years ago
func (req *request) filterQuery(filter string) {
if filter == "" {
return
}
req.params.Set("filter", filter)
}
acl: adding Roles to Tokens (#5514) Roles are named and can express the same bundle of permissions that can currently be assigned to a Token (lists of Policies and Service Identities). The difference with a Role is that it not itself a bearer token, but just another entity that can be tied to a Token. This lets an operator potentially curate a set of smaller reusable Policies and compose them together into reusable Roles, rather than always exploding that same list of Policies on any Token that needs similar permissions. This also refactors the acl replication code to be semi-generic to avoid 3x copypasta.
6 years ago
// generateUnexpectedResponseCodeError consumes the rest of the body, closes
// the body stream and generates an error indicating the status code was
// unexpected.
func generateUnexpectedResponseCodeError(resp *http.Response) error {
var buf bytes.Buffer
io.Copy(&buf, resp.Body)
resp.Body.Close()
return fmt.Errorf("Unexpected response code: %d (%s)", resp.StatusCode, buf.Bytes())
}
func requireNotFoundOrOK(d time.Duration, resp *http.Response, e error) (bool, time.Duration, *http.Response, error) {
if e != nil {
if resp != nil {
resp.Body.Close()
}
return false, d, nil, e
}
switch resp.StatusCode {
case 200:
return true, d, resp, nil
case 404:
return false, d, resp, nil
default:
return false, d, nil, generateUnexpectedResponseCodeError(resp)
}
}