diff --git a/agent/consul/server.go b/agent/consul/server.go index c403c0400c..1aea2df125 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -595,32 +595,34 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server, StorageBackend: s.raftStorageBackend, }) - s.hcpManager = hcp.NewManager(hcp.ManagerConfig{ - CloudConfig: flat.HCP.Config, - StatusFn: s.hcpServerStatus(flat), - Logger: logger.Named("hcp_manager"), - SCADAProvider: flat.HCP.Provider, - TelemetryProvider: flat.HCP.TelemetryProvider, - ManagementTokenUpserterFn: func(name, secretId string) error { - // Check the state of the server before attempting to upsert the token. Otherwise, - // the upsert will fail and log errors that do not require action from the user. - if s.config.ACLsEnabled && s.IsLeader() && s.InPrimaryDatacenter() { - // Idea for improvement: Upsert a token with a well-known accessorId here instead - // of a randomly generated one. This would prevent any possible insertion collision between - // this and the insertion that happens during the ACL initialization process (initializeACLs function) - return s.upsertManagementToken(name, secretId) - } - return nil - }, - ManagementTokenDeleterFn: func(secretId string) error { - // Check the state of the server before attempting to delete the token.Otherwise, - // the delete will fail and log errors that do not require action from the user. - if s.config.ACLsEnabled && s.IsLeader() && s.InPrimaryDatacenter() { - return s.deleteManagementToken(secretId) - } - return nil - }, - }) + if s.config.Cloud.IsConfigured() { + s.hcpManager = hcp.NewManager(hcp.ManagerConfig{ + CloudConfig: flat.HCP.Config, + StatusFn: s.hcpServerStatus(flat), + Logger: logger.Named("hcp_manager"), + SCADAProvider: flat.HCP.Provider, + TelemetryProvider: flat.HCP.TelemetryProvider, + ManagementTokenUpserterFn: func(name, secretId string) error { + // Check the state of the server before attempting to upsert the token. Otherwise, + // the upsert will fail and log errors that do not require action from the user. + if s.config.ACLsEnabled && s.IsLeader() && s.InPrimaryDatacenter() { + // Idea for improvement: Upsert a token with a well-known accessorId here instead + // of a randomly generated one. This would prevent any possible insertion collision between + // this and the insertion that happens during the ACL initialization process (initializeACLs function) + return s.upsertManagementToken(name, secretId) + } + return nil + }, + ManagementTokenDeleterFn: func(secretId string) error { + // Check the state of the server before attempting to delete the token.Otherwise, + // the delete will fail and log errors that do not require action from the user. + if s.config.ACLsEnabled && s.IsLeader() && s.InPrimaryDatacenter() { + return s.deleteManagementToken(secretId) + } + return nil + }, + }) + } var recorder *middleware.RequestRecorder if flat.NewRequestRecorderFunc != nil { @@ -890,22 +892,24 @@ func NewServer(config *Config, flat Deps, externalGRPCServer *grpc.Server, // to enable RPC forwarding. s.grpcLeaderForwarder = flat.LeaderForwarder - // Start watching HCP Link resource. This needs to be created after - // the GRPC services are set up in order for the resource service client to - // function. This uses the insecure grpc channel so that it doesn't need to - // present a valid ACL token. - go hcp.RunHCPLinkWatcher( - &lib.StopChannelContext{StopCh: shutdownCh}, - logger.Named("hcp-link-watcher"), - pbresource.NewResourceServiceClient(s.insecureSafeGRPCChan), - hcp.HCPManagerLifecycleFn( - s.hcpManager, - hcpclient.NewClient, - bootstrap.LoadManagementToken, - flat.HCP.Config, - flat.HCP.DataDir, - ), - ) + if s.config.Cloud.IsConfigured() { + // Start watching HCP Link resource. This needs to be created after + // the GRPC services are set up in order for the resource service client to + // function. This uses the insecure grpc channel so that it doesn't need to + // present a valid ACL token. + go hcp.RunHCPLinkWatcher( + &lib.StopChannelContext{StopCh: shutdownCh}, + logger.Named("hcp-link-watcher"), + pbresource.NewResourceServiceClient(s.insecureSafeGRPCChan), + hcp.HCPManagerLifecycleFn( + s.hcpManager, + hcpclient.NewClient, + bootstrap.LoadManagementToken, + flat.HCP.Config, + flat.HCP.DataDir, + ), + ) + } s.controllerManager = controller.NewManager( // Usage of the insecure + unsafe grpc chan is required for the controller @@ -1008,13 +1012,15 @@ func isV1CatalogRequest(rpcName string) bool { } func (s *Server) registerControllers(deps Deps, proxyUpdater ProxyUpdater) error { - hcpctl.RegisterControllers( - s.controllerManager, hcpctl.ControllerDependencies{ - ResourceApisEnabled: s.useV2Resources, - HCPAllowV2ResourceApis: s.hcpAllowV2Resources, - CloudConfig: deps.HCP.Config, - }, - ) + if s.config.Cloud.IsConfigured() { + hcpctl.RegisterControllers( + s.controllerManager, hcpctl.ControllerDependencies{ + ResourceApisEnabled: s.useV2Resources, + HCPAllowV2ResourceApis: s.hcpAllowV2Resources, + CloudConfig: deps.HCP.Config, + }, + ) + } // When not enabled, the v1 tenancy bridge is used by default. if s.useV2Tenancy { @@ -2075,8 +2081,10 @@ func (s *Server) trackLeaderChanges() { s.raftStorageBackend.LeaderChanged() s.controllerManager.SetRaftLeader(s.IsLeader()) - // Trigger sending an update to HCP status - s.hcpManager.SendUpdate() + if s.config.Cloud.IsConfigured() { + // Trigger sending an update to HCP status + s.hcpManager.SendUpdate() + } case <-s.shutdownCh: s.raft.DeregisterObserver(observer) return diff --git a/command/agent/agent.go b/command/agent/agent.go index f1e0541145..b280fbf506 100644 --- a/command/agent/agent.go +++ b/command/agent/agent.go @@ -181,12 +181,9 @@ func (c *cmd) run(args []string) int { ui.Error(err.Error()) return 1 } - } - // We unconditionally add an Access Control header to our config in order to allow the HCP UI to work. - // We do this unconditionally because the cluster can be linked to HCP at any time (not just at startup) and this - // is simpler than selectively reloading parts of config at runtime. - loader = hcpbootstrap.AddAclPolicyAccessControlHeader(loader) + loader = hcpbootstrap.AddAclPolicyAccessControlHeader(loader) + } bd, err := agent.NewBaseDeps(loader, logGate, nil) if err != nil {