mirror of https://github.com/hashicorp/consul
agent/config: add AllowManagedRoot
parent
82a4b3c13f
commit
4897ca6545
|
@ -527,32 +527,21 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
|||
consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)
|
||||
|
||||
// Connect proxy defaults.
|
||||
var connectEnabled bool
|
||||
var connectCAProvider string
|
||||
var connectCAConfig map[string]interface{}
|
||||
if c.Connect != nil {
|
||||
connectEnabled = b.boolVal(c.Connect.Enabled)
|
||||
connectCAProvider = b.stringVal(c.Connect.CAProvider)
|
||||
connectCAConfig = c.Connect.CAConfig
|
||||
if c.Connect.CAConfig != nil {
|
||||
connectEnabled := b.boolVal(c.Connect.Enabled)
|
||||
connectCAProvider := b.stringVal(c.Connect.CAProvider)
|
||||
connectCAConfig := c.Connect.CAConfig
|
||||
if connectCAConfig != nil {
|
||||
TranslateKeys(connectCAConfig, map[string]string{
|
||||
"private_key": "PrivateKey",
|
||||
"root_cert": "RootCert",
|
||||
"rotation_period": "RotationPeriod",
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
proxyDefaultExecMode := ""
|
||||
var proxyDefaultDaemonCommand []string
|
||||
var proxyDefaultScriptCommand []string
|
||||
proxyDefaultConfig := make(map[string]interface{})
|
||||
if c.Connect != nil && c.Connect.ProxyDefaults != nil {
|
||||
proxyDefaultExecMode = b.stringVal(c.Connect.ProxyDefaults.ExecMode)
|
||||
proxyDefaultDaemonCommand = c.Connect.ProxyDefaults.DaemonCommand
|
||||
proxyDefaultScriptCommand = c.Connect.ProxyDefaults.ScriptCommand
|
||||
proxyDefaultConfig = c.Connect.ProxyDefaults.Config
|
||||
}
|
||||
proxyDefaultExecMode := b.stringVal(c.Connect.ProxyDefaults.ExecMode)
|
||||
proxyDefaultDaemonCommand := c.Connect.ProxyDefaults.DaemonCommand
|
||||
proxyDefaultScriptCommand := c.Connect.ProxyDefaults.ScriptCommand
|
||||
proxyDefaultConfig := c.Connect.ProxyDefaults.Config
|
||||
|
||||
// ----------------------------------------------------------------
|
||||
// build runtime config
|
||||
|
@ -675,6 +664,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
|
|||
ConnectEnabled: connectEnabled,
|
||||
ConnectCAProvider: connectCAProvider,
|
||||
ConnectCAConfig: connectCAConfig,
|
||||
ConnectProxyAllowManagedRoot: b.boolVal(c.Connect.Proxy.AllowManagedRoot),
|
||||
ConnectProxyBindMinPort: proxyMinPort,
|
||||
ConnectProxyBindMaxPort: proxyMaxPort,
|
||||
ConnectProxyDefaultExecMode: proxyDefaultExecMode,
|
||||
|
|
|
@ -160,7 +160,7 @@ type Config struct {
|
|||
CheckUpdateInterval *string `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"`
|
||||
Checks []CheckDefinition `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"`
|
||||
ClientAddr *string `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"`
|
||||
Connect *Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
|
||||
Connect Connect `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
|
||||
DNS DNS `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"`
|
||||
DNSDomain *string `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"`
|
||||
DNSRecursors []string `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"`
|
||||
|
@ -370,12 +370,21 @@ type Connect struct {
|
|||
// Enabled opts the agent into connect. It should be set on all clients and
|
||||
// servers in a cluster for correct connect operation.
|
||||
Enabled *bool `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"`
|
||||
ProxyDefaults *ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
|
||||
Proxy ConnectProxy `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"`
|
||||
ProxyDefaults ConnectProxyDefaults `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
|
||||
CAProvider *string `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"`
|
||||
CAConfig map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"`
|
||||
}
|
||||
|
||||
// ConnectProxyDefaults is the agent-global connect proxy configuration.
|
||||
// ConnectProxy is the agent-global connect proxy configuration.
|
||||
type ConnectProxy struct {
|
||||
// Consul will not execute managed proxies if its EUID is 0 (root).
|
||||
// If this is true, then Consul will execute proxies if Consul is
|
||||
// running as root. This is not recommended.
|
||||
AllowManagedRoot *bool `json:"allow_managed_root" hcl:"allow_managed_root" mapstructure:"allow_managed_root"`
|
||||
}
|
||||
|
||||
// ConnectProxyDefaults is the agent-global defaults for managed Connect proxies.
|
||||
type ConnectProxyDefaults struct {
|
||||
// ExecMode is used where a registration doesn't include an exec_mode.
|
||||
// Defaults to daemon.
|
||||
|
|
|
@ -630,6 +630,10 @@ type RuntimeConfig struct {
|
|||
// port is specified.
|
||||
ConnectProxyBindMaxPort int
|
||||
|
||||
// ConnectProxyAllowManagedRoot is true if Consul can execute managed
|
||||
// proxies when running as root (EUID == 0).
|
||||
ConnectProxyAllowManagedRoot bool
|
||||
|
||||
// ConnectProxyDefaultExecMode is used where a registration doesn't include an
|
||||
// exec_mode. Defaults to daemon.
|
||||
ConnectProxyDefaultExecMode string
|
||||
|
|
|
@ -2070,6 +2070,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
|||
rt.DataDir = dataDir
|
||||
},
|
||||
},
|
||||
|
||||
{
|
||||
desc: "HCL service managed proxy 'upstreams'",
|
||||
args: []string{
|
||||
|
@ -2156,6 +2157,23 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
|||
}
|
||||
},
|
||||
},
|
||||
|
||||
{
|
||||
desc: "enabling Connect allow_managed_root",
|
||||
args: []string{
|
||||
`-data-dir=` + dataDir,
|
||||
},
|
||||
json: []string{
|
||||
`{ "connect": { "proxy": { "allow_managed_root": true } } }`,
|
||||
},
|
||||
hcl: []string{
|
||||
`connect { proxy { allow_managed_root = true } }`,
|
||||
},
|
||||
patch: func(rt *RuntimeConfig) {
|
||||
rt.DataDir = dataDir
|
||||
rt.ConnectProxyAllowManagedRoot = true
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
testConfig(t, tests, dataDir)
|
||||
|
@ -3519,6 +3537,7 @@ func TestFullConfig(t *testing.T) {
|
|||
"g4cvJyys": "IRLXE9Ds",
|
||||
"hyMy9Oxn": "XeBp4Sis",
|
||||
},
|
||||
ConnectProxyAllowManagedRoot: false,
|
||||
ConnectProxyDefaultExecMode: "script",
|
||||
ConnectProxyDefaultDaemonCommand: []string{"consul", "connect", "proxy"},
|
||||
ConnectProxyDefaultScriptCommand: []string{"proxyctl.sh"},
|
||||
|
@ -4200,6 +4219,7 @@ func TestSanitize(t *testing.T) {
|
|||
"ConnectCAConfig": {},
|
||||
"ConnectCAProvider": "",
|
||||
"ConnectEnabled": false,
|
||||
"ConnectProxyAllowManagedRoot": false,
|
||||
"ConnectProxyBindMaxPort": 0,
|
||||
"ConnectProxyBindMinPort": 0,
|
||||
"ConnectProxyDefaultConfig": {},
|
||||
|
|
Loading…
Reference in New Issue