github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21422 Commits
1703 Branches
457 Tags
697 MiB
Tree: ab794b59f8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ab794b59f8'
${ noResults }
consul/agent/config/deprecated.go

329 lines
11 KiB
Raw Normal View History Unescape

copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2 years ago
// Copyright (c) HashiCorp, Inc.
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
1 year ago
// SPDX-License-Identifier: BUSL-1.1
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2 years ago
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
package config
Support per-listener TLS configuration ⚙️ (#12504) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.
3 years ago
import (
"fmt"
agent: convert listener config to TLS types (#12522) * tlsutil: initial implementation of types/TLSVersion tlsutil: add test for parsing deprecated agent TLS version strings tlsutil: return TLSVersionInvalid with error tlsutil: start moving tlsutil cipher suite lookups over to types/tls tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup agent: attempt to use types in runtime config agent: implement b.tlsVersion validation in config builder agent: fix tlsVersion nil check in builder tlsutil: update to renamed ParseTLSVersion and goTLSVersions tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion tlsutil: disable invalid config parsing tests tlsutil: update tests auto_config: lookup old config strings from base.TLSMinVersion auto_config: update endpoint tests to use TLS types agent: update runtime_test to use TLS types agent: update TestRuntimeCinfig_Sanitize.golden agent: update config runtime tests to expect TLS types * website: update Consul agent tls_min_version values * agent: fixup TLS parsing and compilation errors * test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test * tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites * test: revert autoconfig tls min version fixtures to old format * types: add TLSVersions public function * agent: add warning for deprecated TLS version strings * agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder * tlsutil(BREAKING): change default TLS min version to TLS 1.2 * agent: move ParseCiphers logic from tlsutil into agent config builder * tlsutil: remove unused CipherString function * agent: fixup import for types package * Revert "tlsutil: remove unused CipherString function" This reverts commit 6ca7f6f58d268e617501b7db9500113c13bae70c. * agent: fixup config builder and runtime tests * tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig * test: move TLS cipher suites parsing test from tlsutil into agent config builder tests * agent: remove parseCiphers helper from auto_config_endpoint_test * test: remove unused imports from tlsutil * agent: remove resolved FIXME comment * tlsutil: remove TODO and FIXME in cipher suite validation * agent: prevent setting inherited cipher suite config when TLS 1.3 is specified * changelog: add entry for converting agent config to TLS types * agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now * tlsutil: remove config tests for values checked at agent config builder boundary * tlsutil: remove tls version check from loadProtocolConfig * tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites * website: update search link for supported Consul agent cipher suites * website: apply review suggestions for tls_min_version description * website: attempt to clean up markdown list formatting for tls_min_version * website: moar linebreaks to fix tls_min_version formatting * Revert "website: moar linebreaks to fix tls_min_version formatting" This reverts commit 38585927422f73ebf838a7663e566ac245f2a75c. * autoconfig: translate old values for TLSMinVersion * agent: rename var for translated value of deprecated TLS version value * Update agent/config/deprecated.go Co-authored-by: Dan Upton <daniel@floppy.co> * agent: fix lint issue * agent: fixup deprecated config test assertions for updated warning Co-authored-by: Dan Upton <daniel@floppy.co>
3 years ago
Adding experimental support for a more efficient LogStore implementation (#16176) * Adding experimental support for a more efficient LogStore implementation * Adding changelog entry * Fix go mod tidy issues
2 years ago
"github.com/hashicorp/consul/agent/consul"
agent: convert listener config to TLS types (#12522) * tlsutil: initial implementation of types/TLSVersion tlsutil: add test for parsing deprecated agent TLS version strings tlsutil: return TLSVersionInvalid with error tlsutil: start moving tlsutil cipher suite lookups over to types/tls tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup agent: attempt to use types in runtime config agent: implement b.tlsVersion validation in config builder agent: fix tlsVersion nil check in builder tlsutil: update to renamed ParseTLSVersion and goTLSVersions tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion tlsutil: disable invalid config parsing tests tlsutil: update tests auto_config: lookup old config strings from base.TLSMinVersion auto_config: update endpoint tests to use TLS types agent: update runtime_test to use TLS types agent: update TestRuntimeCinfig_Sanitize.golden agent: update config runtime tests to expect TLS types * website: update Consul agent tls_min_version values * agent: fixup TLS parsing and compilation errors * test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test * tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites * test: revert autoconfig tls min version fixtures to old format * types: add TLSVersions public function * agent: add warning for deprecated TLS version strings * agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder * tlsutil(BREAKING): change default TLS min version to TLS 1.2 * agent: move ParseCiphers logic from tlsutil into agent config builder * tlsutil: remove unused CipherString function * agent: fixup import for types package * Revert "tlsutil: remove unused CipherString function" This reverts commit 6ca7f6f58d268e617501b7db9500113c13bae70c. * agent: fixup config builder and runtime tests * tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig * test: move TLS cipher suites parsing test from tlsutil into agent config builder tests * agent: remove parseCiphers helper from auto_config_endpoint_test * test: remove unused imports from tlsutil * agent: remove resolved FIXME comment * tlsutil: remove TODO and FIXME in cipher suite validation * agent: prevent setting inherited cipher suite config when TLS 1.3 is specified * changelog: add entry for converting agent config to TLS types * agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now * tlsutil: remove config tests for values checked at agent config builder boundary * tlsutil: remove tls version check from loadProtocolConfig * tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites * website: update search link for supported Consul agent cipher suites * website: apply review suggestions for tls_min_version description * website: attempt to clean up markdown list formatting for tls_min_version * website: moar linebreaks to fix tls_min_version formatting * Revert "website: moar linebreaks to fix tls_min_version formatting" This reverts commit 38585927422f73ebf838a7663e566ac245f2a75c. * autoconfig: translate old values for TLSMinVersion * agent: rename var for translated value of deprecated TLS version value * Update agent/config/deprecated.go Co-authored-by: Dan Upton <daniel@floppy.co> * agent: fix lint issue * agent: fixup deprecated config test assertions for updated warning Co-authored-by: Dan Upton <daniel@floppy.co>
3 years ago
"github.com/hashicorp/consul/types"
Support per-listener TLS configuration ⚙️ (#12504) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.
3 years ago
)
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
type DeprecatedConfig struct {
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
ACLAgentMasterToken *string `mapstructure:"acl_agent_master_token"`
config: Move two more fields to DeprecatedConfig And add a test for deprecated config fields.
3 years ago
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
ACLAgentToken *string `mapstructure:"acl_agent_token"`
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
ACLToken *string `mapstructure:"acl_token"`
config: Move ACLEnableKeyListPolicy to DeprecatedConfig
3 years ago
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.enable_key_list_policy"
ACLEnableKeyListPolicy *bool `mapstructure:"acl_enable_key_list_policy"`
config: Move two more fields to DeprecatedConfig And add a test for deprecated config fields.
3 years ago
config: move ACL master token and replication to DeprecatedConfig
3 years ago
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza
ACLMasterToken *string `mapstructure:"acl_master_token"`
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
ACLReplicationToken *string `mapstructure:"acl_replication_token"`
config: Deprecate EnableACLReplication replaced by ACL.TokenReplication
3 years ago
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.enable_token_replication"
EnableACLReplication *bool `mapstructure:"enable_acl_replication"`
config: move ACL master token and replication to DeprecatedConfig
3 years ago
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
// DEPRECATED (ACL-Legacy-Compat) - moved to "primary_datacenter"
ACLDatacenter *string `mapstructure:"acl_datacenter"`
config: move acl_{default,down}_policy to DeprecatedConfig
3 years ago
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.default_policy"
ACLDefaultPolicy *string `mapstructure:"acl_default_policy"`
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.down_policy"
ACLDownPolicy *string `mapstructure:"acl_down_policy"`
config: move acl_ttl to DeprecatedConfig
3 years ago
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.token_ttl"
ACLTTL *string `mapstructure:"acl_ttl"`
Support per-listener TLS configuration ⚙️ (#12504) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.
3 years ago
// DEPRECATED(TLS) - moved to "tls.defaults.ca_file"
CAFile *string `mapstructure:"ca_file"`
// DEPRECATED(TLS) - moved to "tls.defaults.ca_path"
CAPath *string `mapstructure:"ca_path"`
// DEPRECATED(TLS) - moved to "tls.defaults.cert_file"
CertFile *string `mapstructure:"cert_file"`
// DEPRECATED(TLS) - moved to "tls.defaults.key_file"
KeyFile *string `mapstructure:"key_file"`
// DEPRECATED(TLS) - moved to "tls.defaults.tls_cipher_suites"
TLSCipherSuites *string `mapstructure:"tls_cipher_suites"`
// DEPRECATED(TLS) - moved to "tls.defaults.tls_min_version"
TLSMinVersion *string `mapstructure:"tls_min_version"`
// DEPRECATED(TLS) - moved to "tls.defaults.verify_incoming"
VerifyIncoming *bool `mapstructure:"verify_incoming"`
// DEPRECATED(TLS) - moved to "tls.https.verify_incoming"
VerifyIncomingHTTPS *bool `mapstructure:"verify_incoming_https"`
// DEPRECATED(TLS) - moved to "tls.internal_rpc.verify_incoming"
VerifyIncomingRPC *bool `mapstructure:"verify_incoming_rpc"`
// DEPRECATED(TLS) - moved to "tls.defaults.verify_outgoing"
VerifyOutgoing *bool `mapstructure:"verify_outgoing"`
// DEPRECATED(TLS) - moved to "tls.internal_rpc.verify_server_hostname"
VerifyServerHostname *bool `mapstructure:"verify_server_hostname"`
// DEPRECATED(TLS) - this isn't honored by crypto/tls anymore.
TLSPreferServerCipherSuites *bool `mapstructure:"tls_prefer_server_cipher_suites"`
Deprecate -join and -join-wan (#15598)
2 years ago
// DEPRECATED(JOIN) - replaced by retry_join
StartJoinAddrsLAN []string `mapstructure:"start_join"`
// DEPRECATED(JOIN) - replaced by retry_join_wan
StartJoinAddrsWAN []string `mapstructure:"start_join_wan"`
Adding experimental support for a more efficient LogStore implementation (#16176) * Adding experimental support for a more efficient LogStore implementation * Adding changelog entry * Fix go mod tidy issues
2 years ago
// DEPRECATED see RaftLogStore
RaftBoltDBConfig *consul.RaftBoltDBConfig `mapstructure:"raft_boltdb" json:"-"`
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
}
func applyDeprecatedConfig(d *decodeTarget) (Config, []string) {
dep := d.DeprecatedConfig
var warns []string
Rename `master` and `agent_master` ACL tokens in the config file format (#11665)
3 years ago
// TODO(boxofrad): The DeprecatedConfig struct only holds fields that were once
// on the top-level Config struct (not nested fields e.g. ACL.Tokens) maybe we
// should rethink this a bit?
if d.Config.ACL.Tokens.AgentMaster != nil {
if d.Config.ACL.Tokens.AgentRecovery == nil {
d.Config.ACL.Tokens.AgentRecovery = d.Config.ACL.Tokens.AgentMaster
}
warns = append(warns, deprecationWarning("acl.tokens.agent_master", "acl.tokens.agent_recovery"))
}
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
if dep.ACLAgentMasterToken != nil {
Rename `master` and `agent_master` ACL tokens in the config file format (#11665)
3 years ago
if d.Config.ACL.Tokens.AgentRecovery == nil {
d.Config.ACL.Tokens.AgentRecovery = dep.ACLAgentMasterToken
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
}
Rename `master` and `agent_master` ACL tokens in the config file format (#11665)
3 years ago
warns = append(warns, deprecationWarning("acl_agent_master_token", "acl.tokens.agent_recovery"))
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
}
config: Move two more fields to DeprecatedConfig And add a test for deprecated config fields.
3 years ago
if dep.ACLAgentToken != nil {
if d.Config.ACL.Tokens.Agent == nil {
d.Config.ACL.Tokens.Agent = dep.ACLAgentToken
}
warns = append(warns, deprecationWarning("acl_agent_token", "acl.tokens.agent"))
}
if dep.ACLToken != nil {
if d.Config.ACL.Tokens.Default == nil {
d.Config.ACL.Tokens.Default = dep.ACLToken
}
warns = append(warns, deprecationWarning("acl_token", "acl.tokens.default"))
}
Rename `master` and `agent_master` ACL tokens in the config file format (#11665)
3 years ago
if d.Config.ACL.Tokens.Master != nil {
if d.Config.ACL.Tokens.InitialManagement == nil {
d.Config.ACL.Tokens.InitialManagement = d.Config.ACL.Tokens.Master
}
warns = append(warns, deprecationWarning("acl.tokens.master", "acl.tokens.initial_management"))
}
config: move ACL master token and replication to DeprecatedConfig
3 years ago
if dep.ACLMasterToken != nil {
Rename `master` and `agent_master` ACL tokens in the config file format (#11665)
3 years ago
if d.Config.ACL.Tokens.InitialManagement == nil {
d.Config.ACL.Tokens.InitialManagement = dep.ACLMasterToken
config: move ACL master token and replication to DeprecatedConfig
3 years ago
}
Rename `master` and `agent_master` ACL tokens in the config file format (#11665)
3 years ago
warns = append(warns, deprecationWarning("acl_master_token", "acl.tokens.initial_management"))
config: move ACL master token and replication to DeprecatedConfig
3 years ago
}
if dep.ACLReplicationToken != nil {
if d.Config.ACL.Tokens.Replication == nil {
d.Config.ACL.Tokens.Replication = dep.ACLReplicationToken
}
d.Config.ACL.TokenReplication = pBool(true)
warns = append(warns, deprecationWarning("acl_replication_token", "acl.tokens.replication"))
}
config: Deprecate EnableACLReplication replaced by ACL.TokenReplication
3 years ago
if dep.EnableACLReplication != nil {
if d.Config.ACL.TokenReplication == nil {
d.Config.ACL.TokenReplication = dep.EnableACLReplication
}
warns = append(warns, deprecationWarning("enable_acl_replication", "acl.enable_token_replication"))
}
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
if dep.ACLDatacenter != nil {
if d.Config.PrimaryDatacenter == nil {
d.Config.PrimaryDatacenter = dep.ACLDatacenter
}
// when the acl_datacenter config is used it implicitly enables acls
d.Config.ACL.Enabled = pBool(true)
warns = append(warns, deprecationWarning("acl_datacenter", "primary_datacenter"))
}
config: move acl_{default,down}_policy to DeprecatedConfig
3 years ago
if dep.ACLDefaultPolicy != nil {
if d.Config.ACL.DefaultPolicy == nil {
d.Config.ACL.DefaultPolicy = dep.ACLDefaultPolicy
}
warns = append(warns, deprecationWarning("acl_default_policy", "acl.default_policy"))
}
if dep.ACLDownPolicy != nil {
if d.Config.ACL.DownPolicy == nil {
d.Config.ACL.DownPolicy = dep.ACLDownPolicy
}
warns = append(warns, deprecationWarning("acl_down_policy", "acl.down_policy"))
}
config: move acl_ttl to DeprecatedConfig
3 years ago
if dep.ACLTTL != nil {
if d.Config.ACL.TokenTTL == nil {
d.Config.ACL.TokenTTL = dep.ACLTTL
}
warns = append(warns, deprecationWarning("acl_ttl", "acl.token_ttl"))
}
config: Move ACLEnableKeyListPolicy to DeprecatedConfig
3 years ago
if dep.ACLEnableKeyListPolicy != nil {
if d.Config.ACL.EnableKeyListPolicy == nil {
d.Config.ACL.EnableKeyListPolicy = dep.ACLEnableKeyListPolicy
}
warns = append(warns, deprecationWarning("acl_enable_key_list_policy", "acl.enable_key_list_policy"))
}
Deprecate -join and -join-wan (#15598)
2 years ago
if len(dep.StartJoinAddrsLAN) > 0 {
d.Config.RetryJoinLAN = append(d.Config.RetryJoinLAN, dep.StartJoinAddrsLAN...)
warns = append(warns, deprecationWarning("start_join", "retry_join"))
}
if len(dep.StartJoinAddrsWAN) > 0 {
d.Config.RetryJoinWAN = append(d.Config.RetryJoinWAN, dep.StartJoinAddrsWAN...)
warns = append(warns, deprecationWarning("start_join_wan", "retry_join_wan"))
}
Adding experimental support for a more efficient LogStore implementation (#16176) * Adding experimental support for a more efficient LogStore implementation * Adding changelog entry * Fix go mod tidy issues
2 years ago
if dep.RaftBoltDBConfig != nil {
if d.Config.RaftLogStore.BoltDBConfig.NoFreelistSync == nil {
d.Config.RaftLogStore.BoltDBConfig.NoFreelistSync = &dep.RaftBoltDBConfig.NoFreelistSync
}
warns = append(warns, deprecationWarning("raft_boltdb", "raft_logstore.boltdb"))
}
Support per-listener TLS configuration ⚙️ (#12504) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.
3 years ago
warns = append(warns, applyDeprecatedTLSConfig(dep, &d.Config)...)
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
return d.Config, warns
}
Support per-listener TLS configuration ⚙️ (#12504) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.
3 years ago
func applyDeprecatedTLSConfig(dep DeprecatedConfig, cfg *Config) []string {
var warns []string
config: prevent top-level `verify_incoming` enabling mTLS on gRPC port (#13118) Fixes #13088 This is a backwards-compatibility bug introduced in 1.12.
3 years ago
tls := &cfg.TLS
defaults := &tls.Defaults
internalRPC := &tls.InternalRPC
https := &tls.HTTPS
grpc := &tls.GRPC
Support per-listener TLS configuration ⚙️ (#12504) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.
3 years ago
if v := dep.CAFile; v != nil {
if defaults.CAFile == nil {
defaults.CAFile = v
}
warns = append(warns, deprecationWarning("ca_file", "tls.defaults.ca_file"))
}
if v := dep.CAPath; v != nil {
if defaults.CAPath == nil {
defaults.CAPath = v
}
warns = append(warns, deprecationWarning("ca_path", "tls.defaults.ca_path"))
}
if v := dep.CertFile; v != nil {
if defaults.CertFile == nil {
defaults.CertFile = v
}
warns = append(warns, deprecationWarning("cert_file", "tls.defaults.cert_file"))
}
if v := dep.KeyFile; v != nil {
if defaults.KeyFile == nil {
defaults.KeyFile = v
}
warns = append(warns, deprecationWarning("key_file", "tls.defaults.key_file"))
}
if v := dep.TLSCipherSuites; v != nil {
if defaults.TLSCipherSuites == nil {
defaults.TLSCipherSuites = v
}
warns = append(warns, deprecationWarning("tls_cipher_suites", "tls.defaults.tls_cipher_suites"))
}
if v := dep.TLSMinVersion; v != nil {
if defaults.TLSMinVersion == nil {
agent: convert listener config to TLS types (#12522) * tlsutil: initial implementation of types/TLSVersion tlsutil: add test for parsing deprecated agent TLS version strings tlsutil: return TLSVersionInvalid with error tlsutil: start moving tlsutil cipher suite lookups over to types/tls tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup agent: attempt to use types in runtime config agent: implement b.tlsVersion validation in config builder agent: fix tlsVersion nil check in builder tlsutil: update to renamed ParseTLSVersion and goTLSVersions tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion tlsutil: disable invalid config parsing tests tlsutil: update tests auto_config: lookup old config strings from base.TLSMinVersion auto_config: update endpoint tests to use TLS types agent: update runtime_test to use TLS types agent: update TestRuntimeCinfig_Sanitize.golden agent: update config runtime tests to expect TLS types * website: update Consul agent tls_min_version values * agent: fixup TLS parsing and compilation errors * test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test * tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites * test: revert autoconfig tls min version fixtures to old format * types: add TLSVersions public function * agent: add warning for deprecated TLS version strings * agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder * tlsutil(BREAKING): change default TLS min version to TLS 1.2 * agent: move ParseCiphers logic from tlsutil into agent config builder * tlsutil: remove unused CipherString function * agent: fixup import for types package * Revert "tlsutil: remove unused CipherString function" This reverts commit 6ca7f6f58d268e617501b7db9500113c13bae70c. * agent: fixup config builder and runtime tests * tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig * test: move TLS cipher suites parsing test from tlsutil into agent config builder tests * agent: remove parseCiphers helper from auto_config_endpoint_test * test: remove unused imports from tlsutil * agent: remove resolved FIXME comment * tlsutil: remove TODO and FIXME in cipher suite validation * agent: prevent setting inherited cipher suite config when TLS 1.3 is specified * changelog: add entry for converting agent config to TLS types * agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now * tlsutil: remove config tests for values checked at agent config builder boundary * tlsutil: remove tls version check from loadProtocolConfig * tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites * website: update search link for supported Consul agent cipher suites * website: apply review suggestions for tls_min_version description * website: attempt to clean up markdown list formatting for tls_min_version * website: moar linebreaks to fix tls_min_version formatting * Revert "website: moar linebreaks to fix tls_min_version formatting" This reverts commit 38585927422f73ebf838a7663e566ac245f2a75c. * autoconfig: translate old values for TLSMinVersion * agent: rename var for translated value of deprecated TLS version value * Update agent/config/deprecated.go Co-authored-by: Dan Upton <daniel@floppy.co> * agent: fix lint issue * agent: fixup deprecated config test assertions for updated warning Co-authored-by: Dan Upton <daniel@floppy.co>
3 years ago
// NOTE: This inner check for deprecated values should eventually be
// removed
if version, ok := types.DeprecatedConsulAgentTLSVersions[*v]; ok {
// Log warning about deprecated config values
warns = append(warns, fmt.Sprintf("'tls_min_version' value '%s' is deprecated, please specify '%s' instead", *v, version))
versionString := version.String()
defaults.TLSMinVersion = &versionString
} else {
defaults.TLSMinVersion = v
}
Support per-listener TLS configuration ⚙️ (#12504) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.
3 years ago
}
warns = append(warns, deprecationWarning("tls_min_version", "tls.defaults.tls_min_version"))
}
if v := dep.VerifyIncoming; v != nil {
if defaults.VerifyIncoming == nil {
defaults.VerifyIncoming = v
}
config: prevent top-level `verify_incoming` enabling mTLS on gRPC port (#13118) Fixes #13088 This is a backwards-compatibility bug introduced in 1.12.
3 years ago
// Prior to Consul 1.12 it was not possible to enable client certificate
// verification on the gRPC port. We must override GRPC.VerifyIncoming to
// prevent it from inheriting Defaults.VerifyIncoming when we've mapped the
// deprecated top-level verify_incoming field.
if grpc.VerifyIncoming == nil {
grpc.VerifyIncoming = pBool(false)
tls.GRPCModifiedByDeprecatedConfig = &struct{}{}
}
Support per-listener TLS configuration ⚙️ (#12504) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.
3 years ago
warns = append(warns, deprecationWarning("verify_incoming", "tls.defaults.verify_incoming"))
}
if v := dep.VerifyIncomingHTTPS; v != nil {
if https.VerifyIncoming == nil {
https.VerifyIncoming = v
}
warns = append(warns, deprecationWarning("verify_incoming_https", "tls.https.verify_incoming"))
}
if v := dep.VerifyIncomingRPC; v != nil {
if internalRPC.VerifyIncoming == nil {
internalRPC.VerifyIncoming = v
}
warns = append(warns, deprecationWarning("verify_incoming_rpc", "tls.internal_rpc.verify_incoming"))
}
if v := dep.VerifyOutgoing; v != nil {
if defaults.VerifyOutgoing == nil {
defaults.VerifyOutgoing = v
}
warns = append(warns, deprecationWarning("verify_outgoing", "tls.defaults.verify_outgoing"))
}
if v := dep.VerifyServerHostname; v != nil {
if internalRPC.VerifyServerHostname == nil {
internalRPC.VerifyServerHostname = v
}
warns = append(warns, deprecationWarning("verify_server_hostname", "tls.internal_rpc.verify_server_hostname"))
}
if dep.TLSPreferServerCipherSuites != nil {
warns = append(warns, "The 'tls_prefer_server_cipher_suites' field is deprecated and will be ignored.")
}
return warns
}
config: Introduce DeprecatedConfig This struct allows us to move all the deprecated config options off of the main config struct, and keeps all the deprecation logic in a single place, instead of spread across 3+ places.
4 years ago
func deprecationWarning(old, new string) string {
return fmt.Sprintf("The '%v' field is deprecated. Use the '%v' field instead.", old, new)
}
func pBool(v bool) *bool {
return &v
}