agent/config: add AllowManagedRoot

pull/4275/head
Mitchell Hashimoto 2018-06-12 14:25:08 +02:00 committed by Jack Pearkes
parent 82a4b3c13f
commit 4897ca6545
4 changed files with 50 additions and 27 deletions

View File

@ -527,32 +527,21 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier) consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
// Connect proxy defaults. // Connect proxy defaults.
var connectEnabled bool connectEnabled := b.boolVal(c.Connect.Enabled)
var connectCAProvider string connectCAProvider := b.stringVal(c.Connect.CAProvider)
var connectCAConfig map[string]interface{} connectCAConfig := c.Connect.CAConfig
if c.Connect != nil { if connectCAConfig != nil {
connectEnabled = b.boolVal(c.Connect.Enabled)
connectCAProvider = b.stringVal(c.Connect.CAProvider)
connectCAConfig = c.Connect.CAConfig
if c.Connect.CAConfig != nil {
TranslateKeys(connectCAConfig, map[string]string{ TranslateKeys(connectCAConfig, map[string]string{
"private_key": "PrivateKey", "private_key": "PrivateKey",
"root_cert": "RootCert", "root_cert": "RootCert",
"rotation_period": "RotationPeriod", "rotation_period": "RotationPeriod",
}) })
} }
}
proxyDefaultExecMode := "" proxyDefaultExecMode := b.stringVal(c.Connect.ProxyDefaults.ExecMode)
var proxyDefaultDaemonCommand []string proxyDefaultDaemonCommand := c.Connect.ProxyDefaults.DaemonCommand
var proxyDefaultScriptCommand []string proxyDefaultScriptCommand := c.Connect.ProxyDefaults.ScriptCommand
proxyDefaultConfig := make(map[string]interface{}) proxyDefaultConfig := c.Connect.ProxyDefaults.Config
if c.Connect != nil && c.Connect.ProxyDefaults != nil {
proxyDefaultExecMode = b.stringVal(c.Connect.ProxyDefaults.ExecMode)
proxyDefaultDaemonCommand = c.Connect.ProxyDefaults.DaemonCommand
proxyDefaultScriptCommand = c.Connect.ProxyDefaults.ScriptCommand
proxyDefaultConfig = c.Connect.ProxyDefaults.Config
}
// ---------------------------------------------------------------- // ----------------------------------------------------------------
// build runtime config // build runtime config
@ -675,6 +664,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
ConnectEnabled: connectEnabled, ConnectEnabled: connectEnabled,
ConnectCAProvider: connectCAProvider, ConnectCAProvider: connectCAProvider,
ConnectCAConfig: connectCAConfig, ConnectCAConfig: connectCAConfig,
ConnectProxyAllowManagedRoot: b.boolVal(c.Connect.Proxy.AllowManagedRoot),
ConnectProxyBindMinPort: proxyMinPort, ConnectProxyBindMinPort: proxyMinPort,
ConnectProxyBindMaxPort: proxyMaxPort, ConnectProxyBindMaxPort: proxyMaxPort,
ConnectProxyDefaultExecMode: proxyDefaultExecMode, ConnectProxyDefaultExecMode: proxyDefaultExecMode,

View File

@ -160,7 +160,7 @@ type Config struct {
CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"` CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"`
Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"` Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"`
ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"` ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"`
Connect *Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"` Connect Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"` DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"`
DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"` DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"`
DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"` DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"`
@ -370,12 +370,21 @@ type Connect struct {
// Enabled opts the agent into connect. It should be set on all clients and // Enabled opts the agent into connect. It should be set on all clients and
// servers in a cluster for correct connect operation. // servers in a cluster for correct connect operation.
Enabled *bool `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"` Enabled *bool `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"`
ProxyDefaults *ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"` Proxy ConnectProxy `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"`
ProxyDefaults ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"` CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"`
CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"` CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"`
} }
// ConnectProxyDefaults is the agent-global connect proxy configuration. // ConnectProxy is the agent-global connect proxy configuration.
type ConnectProxy struct {
// Consul will not execute managed proxies if its EUID is 0 (root).
// If this is true, then Consul will execute proxies if Consul is
// running as root. This is not recommended.
AllowManagedRoot *bool `json:"allow_managed_root" hcl:"allow_managed_root" mapstructure:"allow_managed_root"`
}
// ConnectProxyDefaults is the agent-global defaults for managed Connect proxies.
type ConnectProxyDefaults struct { type ConnectProxyDefaults struct {
// ExecMode is used where a registration doesn't include an exec_mode. // ExecMode is used where a registration doesn't include an exec_mode.
// Defaults to daemon. // Defaults to daemon.

View File

@ -630,6 +630,10 @@ type RuntimeConfig struct {
// port is specified. // port is specified.
ConnectProxyBindMaxPort int ConnectProxyBindMaxPort int
// ConnectProxyAllowManagedRoot is true if Consul can execute managed
// proxies when running as root (EUID == 0).
ConnectProxyAllowManagedRoot bool
// ConnectProxyDefaultExecMode is used where a registration doesn't include an // ConnectProxyDefaultExecMode is used where a registration doesn't include an
// exec_mode. Defaults to daemon. // exec_mode. Defaults to daemon.
ConnectProxyDefaultExecMode string ConnectProxyDefaultExecMode string

View File

@ -2070,6 +2070,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
rt.DataDir = dataDir rt.DataDir = dataDir
}, },
}, },
{ {
desc: "HCL service managed proxy 'upstreams'", desc: "HCL service managed proxy 'upstreams'",
args: []string{ args: []string{
@ -2156,6 +2157,23 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
} }
}, },
}, },
{
desc: "enabling Connect allow_managed_root",
args: []string{
`-data-dir=` + dataDir,
},
json: []string{
`{ "connect": { "proxy": { "allow_managed_root": true } } }`,
},
hcl: []string{
`connect { proxy { allow_managed_root = true } }`,
},
patch: func(rt *RuntimeConfig) {
rt.DataDir = dataDir
rt.ConnectProxyAllowManagedRoot = true
},
},
} }
testConfig(t, tests, dataDir) testConfig(t, tests, dataDir)
@ -3519,6 +3537,7 @@ func TestFullConfig(t *testing.T) {
"g4cvJyys": "IRLXE9Ds", "g4cvJyys": "IRLXE9Ds",
"hyMy9Oxn": "XeBp4Sis", "hyMy9Oxn": "XeBp4Sis",
}, },
ConnectProxyAllowManagedRoot: false,
ConnectProxyDefaultExecMode: "script", ConnectProxyDefaultExecMode: "script",
ConnectProxyDefaultDaemonCommand: []string{"consul", "connect", "proxy"}, ConnectProxyDefaultDaemonCommand: []string{"consul", "connect", "proxy"},
ConnectProxyDefaultScriptCommand: []string{"proxyctl.sh"}, ConnectProxyDefaultScriptCommand: []string{"proxyctl.sh"},
@ -4200,6 +4219,7 @@ func TestSanitize(t *testing.T) {
"ConnectCAConfig": {}, "ConnectCAConfig": {},
"ConnectCAProvider": "", "ConnectCAProvider": "",
"ConnectEnabled": false, "ConnectEnabled": false,
"ConnectProxyAllowManagedRoot": false,
"ConnectProxyBindMaxPort": 0, "ConnectProxyBindMaxPort": 0,
"ConnectProxyBindMinPort": 0, "ConnectProxyBindMinPort": 0,
"ConnectProxyDefaultConfig": {}, "ConnectProxyDefaultConfig": {},