diff --git a/agent/config/builder.go b/agent/config/builder.go index 8ea78c9729..b0cc56d0b9 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -865,7 +865,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) { ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)), ACLMasterToken: stringVal(c.ACL.Tokens.Master), - ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolVal(c.EnableACLReplication)), + ACLTokenReplication: boolVal(c.ACL.TokenReplication), ACLTokens: token.Config{ DataDir: dataDir, diff --git a/agent/config/config.go b/agent/config/config.go index e21e884dd2..4fcea3f8b8 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -180,7 +180,6 @@ type Config struct { DisableUpdateCheck *bool `mapstructure:"disable_update_check"` DiscardCheckOutput *bool `mapstructure:"discard_check_output"` DiscoveryMaxStale *string `mapstructure:"discovery_max_stale"` - EnableACLReplication *bool `mapstructure:"enable_acl_replication"` EnableAgentTLSForChecks *bool `mapstructure:"enable_agent_tls_for_checks"` EnableCentralServiceConfig *bool `mapstructure:"enable_central_service_config"` EnableDebug *bool `mapstructure:"enable_debug"` diff --git a/agent/config/deprecated.go b/agent/config/deprecated.go index 09edb23cff..08c0e920fa 100644 --- a/agent/config/deprecated.go +++ b/agent/config/deprecated.go @@ -14,6 +14,8 @@ type DeprecatedConfig struct { ACLMasterToken *string `mapstructure:"acl_master_token"` // DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza ACLReplicationToken *string `mapstructure:"acl_replication_token"` + // DEPRECATED (ACL-Legacy-Compat) - moved to "acl.enable_token_replication" + EnableACLReplication *bool `mapstructure:"enable_acl_replication"` // DEPRECATED (ACL-Legacy-Compat) - moved to "primary_datacenter" ACLDatacenter *string `mapstructure:"acl_datacenter"` @@ -59,6 +61,13 @@ func applyDeprecatedConfig(d *decodeTarget) (Config, []string) { warns = append(warns, deprecationWarning("acl_replication_token", "acl.tokens.replication")) } + if dep.EnableACLReplication != nil { + if d.Config.ACL.TokenReplication == nil { + d.Config.ACL.TokenReplication = dep.EnableACLReplication + } + warns = append(warns, deprecationWarning("enable_acl_replication", "acl.enable_token_replication")) + } + if dep.ACLDatacenter != nil { if d.Config.PrimaryDatacenter == nil { d.Config.PrimaryDatacenter = dep.ACLDatacenter diff --git a/agent/config/deprecated_test.go b/agent/config/deprecated_test.go index fd35c957b1..d752e19c02 100644 --- a/agent/config/deprecated_test.go +++ b/agent/config/deprecated_test.go @@ -50,3 +50,29 @@ acl_replication_token = "token5" require.Equal(t, "token4", rt.ACLMasterToken) require.Equal(t, "token5", rt.ACLTokens.ACLReplicationToken) } + +func TestLoad_DeprecatedConfig_ACLReplication(t *testing.T) { + opts := LoadOpts{ + HCL: []string{` +data_dir = "/foo" + +enable_acl_replication = true + +`}, + } + patchLoadOptsShims(&opts) + result, err := Load(opts) + require.NoError(t, err) + + expectWarns := []string{ + deprecationWarning("enable_acl_replication", "acl.enable_token_replication"), + } + sort.Strings(result.Warnings) + require.Equal(t, expectWarns, result.Warnings) + // Ideally this would compare against the entire result.RuntimeConfig, but + // we have so many non-zero defaults in that response that the noise of those + // defaults makes this test difficult to read. So as a workaround, compare + // specific values. + rt := result.RuntimeConfig + require.Equal(t, true, rt.ACLTokenReplication) +} diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 1f5ff3aaed..e6a6087428 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -5920,6 +5920,7 @@ func TestLoad_FullConfig(t *testing.T) { deprecationWarning("acl_token", "acl.tokens.default"), deprecationWarning("acl_master_token", "acl.tokens.master"), deprecationWarning("acl_replication_token", "acl.tokens.replication"), + deprecationWarning("enable_acl_replication", "acl.enable_token_replication"), `bootstrap_expect > 0: expecting 53 servers`, } expectedWarns = append(expectedWarns, enterpriseConfigKeyWarnings...) diff --git a/website/content/docs/agent/options.mdx b/website/content/docs/agent/options.mdx index fb51b5ec09..a0da3ec135 100644 --- a/website/content/docs/agent/options.mdx +++ b/website/content/docs/agent/options.mdx @@ -752,10 +752,10 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." running Consul 0.7 or later. When provided, this will enable [ACL replication](https://learn.hashicorp.com/tutorials/consul/access-control-replication-multiple-datacenters) using this ACL replication using this token to retrieve and replicate the ACLs to the non-authoritative local datacenter. In Consul 0.9.1 and later you can enable - ACL replication using [`enable_acl_replication`](#enable_acl_replication) and then + ACL replication using [`acl.enable_token_replication`](#acl_enable_token_replication) and then set the token later using the [agent token API](/api/agent#update-acl-tokens) on each server. If the `acl_replication_token` is set in the config, it will automatically - set [`enable_acl_replication`](#enable_acl_replication) to true for backward compatibility. + set [`acl.enable_token_replication`](#acl_enable_token_replication) to true for backward compatibility. If there's a partition or other outage affecting the authoritative datacenter, and the [`acl_down_policy`](/docs/agent/options#acl_down_policy) is set to "extend-cache", tokens not @@ -1439,7 +1439,8 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr - `domain` Equivalent to the [`-domain` command-line flag](#_domain). -- `enable_acl_replication` When set on a Consul server, enables ACL replication without having to set +- `enable_acl_replication` **Deprecated in Consul 1.11. Use the [`acl.enable_token_replication`](#acl_enable_token_replication) field instead.** + When set on a Consul server, enables ACL replication without having to set the replication token via [`acl_replication_token`](#acl_replication_token). Instead, enable ACL replication and then introduce the token using the [agent token API](/api/agent#update-acl-tokens) on each server. See [`acl_replication_token`](#acl_replication_token) for more details.