agent: Adding ACL master token

command/agent/agent.go

@@ -184,6 +184,9 @@ func (a *Agent) consulConfig() *consul.Config {
 	if a.config.ACLToken != "" {
 		base.ACLToken = a.config.ACLToken
 	}
+	if a.config.ACLMasterToken != "" {
+		base.ACLMasterToken = a.config.ACLMasterToken
+	}
 	if a.config.ACLDatacenter != "" {
 		base.ACLDatacenter = a.config.ACLDatacenter
 	}

command/agent/config.go

@@ -198,6 +198,11 @@ type Config struct {
 	// token is not provided. If not configured the 'anonymous' token is used.
 	ACLToken string `mapstructure:"acl_token" json:"-"`
 
+	// ACLMasterToken is used to bootstrap the ACL system. It should be specified
+	// on the servers in the ACLDatacenter. When the leader comes online, it ensures
+	// that the Master token is available. This provides the initial token.
+	ACLMasterToken string `mapstructure:"acl_master_token" json:"-"`
+
 	// ACLDatacenter is the central datacenter that holds authoritative
 	// ACL records. This must be the same for the entire cluster.
 	// If this is not set, ACLs are not enabled. Off by default.
@@ -627,6 +632,9 @@ func MergeConfig(a, b *Config) *Config {
 	if b.ACLToken != "" {
 		result.ACLToken = b.ACLToken
 	}
+	if b.ACLMasterToken != "" {
+		result.ACLMasterToken = b.ACLMasterToken
+	}
 	if b.ACLDatacenter != "" {
 		result.ACLDatacenter = b.ACLDatacenter
 	}

command/agent/config_test.go

@@ -360,7 +360,7 @@ func TestDecodeConfig(t *testing.T) {
 	// ACLs
 	input = `{"acl_token": "1234", "acl_datacenter": "dc2",
 	"acl_ttl": "60s", "acl_down_policy": "deny",
-	"acl_default_policy": "deny"}`
+	"acl_default_policy": "deny", "acl_master_token": "2345"}`
 	config, err = DecodeConfig(bytes.NewReader([]byte(input)))
 	if err != nil {
 		t.Fatalf("err: %s", err)
@@ -369,6 +369,9 @@ func TestDecodeConfig(t *testing.T) {
 	if config.ACLToken != "1234" {
 		t.Fatalf("bad: %#v", config)
 	}
+	if config.ACLMasterToken != "2345" {
+		t.Fatalf("bad: %#v", config)
+	}
 	if config.ACLDatacenter != "dc2" {
 		t.Fatalf("bad: %#v", config)
 	}
@@ -529,6 +532,7 @@ func TestMergeConfig(t *testing.T) {
 		CheckUpdateInterval:    8 * time.Minute,
 		CheckUpdateIntervalRaw: "8m",
 		ACLToken:               "1234",
+		ACLMasterToken:         "2345",
 		ACLDatacenter:          "dc2",
 		ACLTTL:                 15 * time.Second,
 		ACLTTLRaw:              "15s",

consul/config.go

@@ -133,6 +133,11 @@ type Config struct {
 	// backwards compatibility as well.
 	ACLToken string
 
+	// ACLMasterToken is used to bootstrap the ACL system. It should be specified
+	// on the servers in the ACLDatacenter. When the leader comes online, it ensures
+	// that the Master token is available. This provides the initial token.
+	ACLMasterToken string
+
 	// ACLDatacenter provides the authoritative datacenter for ACL
 	// tokens. If not provided, ACL verification is disabled.
 	ACLDatacenter string