mirror of https://github.com/hashicorp/consul
agent/config: add AllowManagedRoot
parent
82a4b3c13f
commit
4897ca6545
|
@ -527,32 +527,21 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
||||||
consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
|
consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
|
||||||
|
|
||||||
// Connect proxy defaults.
|
// Connect proxy defaults.
|
||||||
var connectEnabled bool
|
connectEnabled := b.boolVal(c.Connect.Enabled)
|
||||||
var connectCAProvider string
|
connectCAProvider := b.stringVal(c.Connect.CAProvider)
|
||||||
var connectCAConfig map[string]interface{}
|
connectCAConfig := c.Connect.CAConfig
|
||||||
if c.Connect != nil {
|
if connectCAConfig != nil {
|
||||||
connectEnabled = b.boolVal(c.Connect.Enabled)
|
|
||||||
connectCAProvider = b.stringVal(c.Connect.CAProvider)
|
|
||||||
connectCAConfig = c.Connect.CAConfig
|
|
||||||
if c.Connect.CAConfig != nil {
|
|
||||||
TranslateKeys(connectCAConfig, map[string]string{
|
TranslateKeys(connectCAConfig, map[string]string{
|
||||||
"private_key": "PrivateKey",
|
"private_key": "PrivateKey",
|
||||||
"root_cert": "RootCert",
|
"root_cert": "RootCert",
|
||||||
"rotation_period": "RotationPeriod",
|
"rotation_period": "RotationPeriod",
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
proxyDefaultExecMode := ""
|
proxyDefaultExecMode := b.stringVal(c.Connect.ProxyDefaults.ExecMode)
|
||||||
var proxyDefaultDaemonCommand []string
|
proxyDefaultDaemonCommand := c.Connect.ProxyDefaults.DaemonCommand
|
||||||
var proxyDefaultScriptCommand []string
|
proxyDefaultScriptCommand := c.Connect.ProxyDefaults.ScriptCommand
|
||||||
proxyDefaultConfig := make(map[string]interface{})
|
proxyDefaultConfig := c.Connect.ProxyDefaults.Config
|
||||||
if c.Connect != nil && c.Connect.ProxyDefaults != nil {
|
|
||||||
proxyDefaultExecMode = b.stringVal(c.Connect.ProxyDefaults.ExecMode)
|
|
||||||
proxyDefaultDaemonCommand = c.Connect.ProxyDefaults.DaemonCommand
|
|
||||||
proxyDefaultScriptCommand = c.Connect.ProxyDefaults.ScriptCommand
|
|
||||||
proxyDefaultConfig = c.Connect.ProxyDefaults.Config
|
|
||||||
}
|
|
||||||
|
|
||||||
// ----------------------------------------------------------------
|
// ----------------------------------------------------------------
|
||||||
// build runtime config
|
// build runtime config
|
||||||
|
@ -675,6 +664,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
||||||
ConnectEnabled: connectEnabled,
|
ConnectEnabled: connectEnabled,
|
||||||
ConnectCAProvider: connectCAProvider,
|
ConnectCAProvider: connectCAProvider,
|
||||||
ConnectCAConfig: connectCAConfig,
|
ConnectCAConfig: connectCAConfig,
|
||||||
|
ConnectProxyAllowManagedRoot: b.boolVal(c.Connect.Proxy.AllowManagedRoot),
|
||||||
ConnectProxyBindMinPort: proxyMinPort,
|
ConnectProxyBindMinPort: proxyMinPort,
|
||||||
ConnectProxyBindMaxPort: proxyMaxPort,
|
ConnectProxyBindMaxPort: proxyMaxPort,
|
||||||
ConnectProxyDefaultExecMode: proxyDefaultExecMode,
|
ConnectProxyDefaultExecMode: proxyDefaultExecMode,
|
||||||
|
|
|
@ -160,7 +160,7 @@ type Config struct {
|
||||||
CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"`
|
CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"`
|
||||||
Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"`
|
Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"`
|
||||||
ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"`
|
ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"`
|
||||||
Connect *Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
|
Connect Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
|
||||||
DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"`
|
DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"`
|
||||||
DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"`
|
DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"`
|
||||||
DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"`
|
DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"`
|
||||||
|
@ -370,12 +370,21 @@ type Connect struct {
|
||||||
// Enabled opts the agent into connect. It should be set on all clients and
|
// Enabled opts the agent into connect. It should be set on all clients and
|
||||||
// servers in a cluster for correct connect operation.
|
// servers in a cluster for correct connect operation.
|
||||||
Enabled *bool `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"`
|
Enabled *bool `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"`
|
||||||
ProxyDefaults *ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
|
Proxy ConnectProxy `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"`
|
||||||
|
ProxyDefaults ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
|
||||||
CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"`
|
CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"`
|
||||||
CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"`
|
CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ConnectProxyDefaults is the agent-global connect proxy configuration.
|
// ConnectProxy is the agent-global connect proxy configuration.
|
||||||
|
type ConnectProxy struct {
|
||||||
|
// Consul will not execute managed proxies if its EUID is 0 (root).
|
||||||
|
// If this is true, then Consul will execute proxies if Consul is
|
||||||
|
// running as root. This is not recommended.
|
||||||
|
AllowManagedRoot *bool `json:"allow_managed_root" hcl:"allow_managed_root" mapstructure:"allow_managed_root"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// ConnectProxyDefaults is the agent-global defaults for managed Connect proxies.
|
||||||
type ConnectProxyDefaults struct {
|
type ConnectProxyDefaults struct {
|
||||||
// ExecMode is used where a registration doesn't include an exec_mode.
|
// ExecMode is used where a registration doesn't include an exec_mode.
|
||||||
// Defaults to daemon.
|
// Defaults to daemon.
|
||||||
|
|
|
@ -630,6 +630,10 @@ type RuntimeConfig struct {
|
||||||
// port is specified.
|
// port is specified.
|
||||||
ConnectProxyBindMaxPort int
|
ConnectProxyBindMaxPort int
|
||||||
|
|
||||||
|
// ConnectProxyAllowManagedRoot is true if Consul can execute managed
|
||||||
|
// proxies when running as root (EUID == 0).
|
||||||
|
ConnectProxyAllowManagedRoot bool
|
||||||
|
|
||||||
// ConnectProxyDefaultExecMode is used where a registration doesn't include an
|
// ConnectProxyDefaultExecMode is used where a registration doesn't include an
|
||||||
// exec_mode. Defaults to daemon.
|
// exec_mode. Defaults to daemon.
|
||||||
ConnectProxyDefaultExecMode string
|
ConnectProxyDefaultExecMode string
|
||||||
|
|
|
@ -2070,6 +2070,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
||||||
rt.DataDir = dataDir
|
rt.DataDir = dataDir
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
{
|
{
|
||||||
desc: "HCL service managed proxy 'upstreams'",
|
desc: "HCL service managed proxy 'upstreams'",
|
||||||
args: []string{
|
args: []string{
|
||||||
|
@ -2156,6 +2157,23 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
|
{
|
||||||
|
desc: "enabling Connect allow_managed_root",
|
||||||
|
args: []string{
|
||||||
|
`-data-dir=` + dataDir,
|
||||||
|
},
|
||||||
|
json: []string{
|
||||||
|
`{ "connect": { "proxy": { "allow_managed_root": true } } }`,
|
||||||
|
},
|
||||||
|
hcl: []string{
|
||||||
|
`connect { proxy { allow_managed_root = true } }`,
|
||||||
|
},
|
||||||
|
patch: func(rt *RuntimeConfig) {
|
||||||
|
rt.DataDir = dataDir
|
||||||
|
rt.ConnectProxyAllowManagedRoot = true
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
testConfig(t, tests, dataDir)
|
testConfig(t, tests, dataDir)
|
||||||
|
@ -3519,6 +3537,7 @@ func TestFullConfig(t *testing.T) {
|
||||||
"g4cvJyys": "IRLXE9Ds",
|
"g4cvJyys": "IRLXE9Ds",
|
||||||
"hyMy9Oxn": "XeBp4Sis",
|
"hyMy9Oxn": "XeBp4Sis",
|
||||||
},
|
},
|
||||||
|
ConnectProxyAllowManagedRoot: false,
|
||||||
ConnectProxyDefaultExecMode: "script",
|
ConnectProxyDefaultExecMode: "script",
|
||||||
ConnectProxyDefaultDaemonCommand: []string{"consul", "connect", "proxy"},
|
ConnectProxyDefaultDaemonCommand: []string{"consul", "connect", "proxy"},
|
||||||
ConnectProxyDefaultScriptCommand: []string{"proxyctl.sh"},
|
ConnectProxyDefaultScriptCommand: []string{"proxyctl.sh"},
|
||||||
|
@ -4200,6 +4219,7 @@ func TestSanitize(t *testing.T) {
|
||||||
"ConnectCAConfig": {},
|
"ConnectCAConfig": {},
|
||||||
"ConnectCAProvider": "",
|
"ConnectCAProvider": "",
|
||||||
"ConnectEnabled": false,
|
"ConnectEnabled": false,
|
||||||
|
"ConnectProxyAllowManagedRoot": false,
|
||||||
"ConnectProxyBindMaxPort": 0,
|
"ConnectProxyBindMaxPort": 0,
|
||||||
"ConnectProxyBindMinPort": 0,
|
"ConnectProxyBindMinPort": 0,
|
||||||
"ConnectProxyDefaultConfig": {},
|
"ConnectProxyDefaultConfig": {},
|
||||||
|
|
Loading…
Reference in New Issue