diff --git a/agent/config/builder.go b/agent/config/builder.go index b043540cc8..00c635886b 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -527,32 +527,21 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier) // Connect proxy defaults. - var connectEnabled bool - var connectCAProvider string - var connectCAConfig map[string]interface{} - if c.Connect != nil { - connectEnabled = b.boolVal(c.Connect.Enabled) - connectCAProvider = b.stringVal(c.Connect.CAProvider) - connectCAConfig = c.Connect.CAConfig - if c.Connect.CAConfig != nil { - TranslateKeys(connectCAConfig, map[string]string{ - "private_key": "PrivateKey", - "root_cert": "RootCert", - "rotation_period": "RotationPeriod", - }) - } + connectEnabled := b.boolVal(c.Connect.Enabled) + connectCAProvider := b.stringVal(c.Connect.CAProvider) + connectCAConfig := c.Connect.CAConfig + if connectCAConfig != nil { + TranslateKeys(connectCAConfig, map[string]string{ + "private_key": "PrivateKey", + "root_cert": "RootCert", + "rotation_period": "RotationPeriod", + }) } - proxyDefaultExecMode := "" - var proxyDefaultDaemonCommand []string - var proxyDefaultScriptCommand []string - proxyDefaultConfig := make(map[string]interface{}) - if c.Connect != nil && c.Connect.ProxyDefaults != nil { - proxyDefaultExecMode = b.stringVal(c.Connect.ProxyDefaults.ExecMode) - proxyDefaultDaemonCommand = c.Connect.ProxyDefaults.DaemonCommand - proxyDefaultScriptCommand = c.Connect.ProxyDefaults.ScriptCommand - proxyDefaultConfig = c.Connect.ProxyDefaults.Config - } + proxyDefaultExecMode := b.stringVal(c.Connect.ProxyDefaults.ExecMode) + proxyDefaultDaemonCommand := c.Connect.ProxyDefaults.DaemonCommand + proxyDefaultScriptCommand := c.Connect.ProxyDefaults.ScriptCommand + proxyDefaultConfig := c.Connect.ProxyDefaults.Config // ---------------------------------------------------------------- // build runtime config @@ -675,6 +664,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { ConnectEnabled: connectEnabled, ConnectCAProvider: connectCAProvider, ConnectCAConfig: connectCAConfig, + ConnectProxyAllowManagedRoot: b.boolVal(c.Connect.Proxy.AllowManagedRoot), ConnectProxyBindMinPort: proxyMinPort, ConnectProxyBindMaxPort: proxyMaxPort, ConnectProxyDefaultExecMode: proxyDefaultExecMode, diff --git a/agent/config/config.go b/agent/config/config.go index 5b8819525b..b87f03a3d5 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -160,7 +160,7 @@ type Config struct { CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"` Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"` ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"` - Connect *Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"` + Connect Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"` DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"` DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"` DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"` @@ -370,12 +370,21 @@ type Connect struct { // Enabled opts the agent into connect. It should be set on all clients and // servers in a cluster for correct connect operation. Enabled *bool `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"` - ProxyDefaults *ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"` + Proxy ConnectProxy `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"` + ProxyDefaults ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"` CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"` CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"` } -// ConnectProxyDefaults is the agent-global connect proxy configuration. +// ConnectProxy is the agent-global connect proxy configuration. +type ConnectProxy struct { + // Consul will not execute managed proxies if its EUID is 0 (root). + // If this is true, then Consul will execute proxies if Consul is + // running as root. This is not recommended. + AllowManagedRoot *bool `json:"allow_managed_root" hcl:"allow_managed_root" mapstructure:"allow_managed_root"` +} + +// ConnectProxyDefaults is the agent-global defaults for managed Connect proxies. type ConnectProxyDefaults struct { // ExecMode is used where a registration doesn't include an exec_mode. // Defaults to daemon. diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 1399c5744a..44ecb00854 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -630,6 +630,10 @@ type RuntimeConfig struct { // port is specified. ConnectProxyBindMaxPort int + // ConnectProxyAllowManagedRoot is true if Consul can execute managed + // proxies when running as root (EUID == 0). + ConnectProxyAllowManagedRoot bool + // ConnectProxyDefaultExecMode is used where a registration doesn't include an // exec_mode. Defaults to daemon. ConnectProxyDefaultExecMode string diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 8a19c98e20..d598105ba2 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -2070,6 +2070,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) { rt.DataDir = dataDir }, }, + { desc: "HCL service managed proxy 'upstreams'", args: []string{ @@ -2156,6 +2157,23 @@ func TestConfigFlagsAndEdgecases(t *testing.T) { } }, }, + + { + desc: "enabling Connect allow_managed_root", + args: []string{ + `-data-dir=` + dataDir, + }, + json: []string{ + `{ "connect": { "proxy": { "allow_managed_root": true } } }`, + }, + hcl: []string{ + `connect { proxy { allow_managed_root = true } }`, + }, + patch: func(rt *RuntimeConfig) { + rt.DataDir = dataDir + rt.ConnectProxyAllowManagedRoot = true + }, + }, } testConfig(t, tests, dataDir) @@ -3519,6 +3537,7 @@ func TestFullConfig(t *testing.T) { "g4cvJyys": "IRLXE9Ds", "hyMy9Oxn": "XeBp4Sis", }, + ConnectProxyAllowManagedRoot: false, ConnectProxyDefaultExecMode: "script", ConnectProxyDefaultDaemonCommand: []string{"consul", "connect", "proxy"}, ConnectProxyDefaultScriptCommand: []string{"proxyctl.sh"}, @@ -4200,6 +4219,7 @@ func TestSanitize(t *testing.T) { "ConnectCAConfig": {}, "ConnectCAProvider": "", "ConnectEnabled": false, + "ConnectProxyAllowManagedRoot": false, "ConnectProxyBindMaxPort": 0, "ConnectProxyBindMinPort": 0, "ConnectProxyDefaultConfig": {},