mirror of https://github.com/hashicorp/consul
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
328 lines
11 KiB
328 lines
11 KiB
// Copyright (c) HashiCorp, Inc. |
|
// SPDX-License-Identifier: BUSL-1.1 |
|
|
|
package config |
|
|
|
import ( |
|
"fmt" |
|
|
|
"github.com/hashicorp/consul/agent/consul" |
|
"github.com/hashicorp/consul/types" |
|
) |
|
|
|
type DeprecatedConfig struct { |
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza |
|
ACLAgentMasterToken *string `mapstructure:"acl_agent_master_token"` |
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza |
|
ACLAgentToken *string `mapstructure:"acl_agent_token"` |
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza |
|
ACLToken *string `mapstructure:"acl_token"` |
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.enable_key_list_policy" |
|
ACLEnableKeyListPolicy *bool `mapstructure:"acl_enable_key_list_policy"` |
|
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza |
|
ACLMasterToken *string `mapstructure:"acl_master_token"` |
|
// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza |
|
ACLReplicationToken *string `mapstructure:"acl_replication_token"` |
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.enable_token_replication" |
|
EnableACLReplication *bool `mapstructure:"enable_acl_replication"` |
|
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "primary_datacenter" |
|
ACLDatacenter *string `mapstructure:"acl_datacenter"` |
|
|
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.default_policy" |
|
ACLDefaultPolicy *string `mapstructure:"acl_default_policy"` |
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.down_policy" |
|
ACLDownPolicy *string `mapstructure:"acl_down_policy"` |
|
// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.token_ttl" |
|
ACLTTL *string `mapstructure:"acl_ttl"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.ca_file" |
|
CAFile *string `mapstructure:"ca_file"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.ca_path" |
|
CAPath *string `mapstructure:"ca_path"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.cert_file" |
|
CertFile *string `mapstructure:"cert_file"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.key_file" |
|
KeyFile *string `mapstructure:"key_file"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.tls_cipher_suites" |
|
TLSCipherSuites *string `mapstructure:"tls_cipher_suites"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.tls_min_version" |
|
TLSMinVersion *string `mapstructure:"tls_min_version"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.verify_incoming" |
|
VerifyIncoming *bool `mapstructure:"verify_incoming"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.https.verify_incoming" |
|
VerifyIncomingHTTPS *bool `mapstructure:"verify_incoming_https"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.internal_rpc.verify_incoming" |
|
VerifyIncomingRPC *bool `mapstructure:"verify_incoming_rpc"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.defaults.verify_outgoing" |
|
VerifyOutgoing *bool `mapstructure:"verify_outgoing"` |
|
|
|
// DEPRECATED(TLS) - moved to "tls.internal_rpc.verify_server_hostname" |
|
VerifyServerHostname *bool `mapstructure:"verify_server_hostname"` |
|
|
|
// DEPRECATED(TLS) - this isn't honored by crypto/tls anymore. |
|
TLSPreferServerCipherSuites *bool `mapstructure:"tls_prefer_server_cipher_suites"` |
|
|
|
// DEPRECATED(JOIN) - replaced by retry_join |
|
StartJoinAddrsLAN []string `mapstructure:"start_join"` |
|
|
|
// DEPRECATED(JOIN) - replaced by retry_join_wan |
|
StartJoinAddrsWAN []string `mapstructure:"start_join_wan"` |
|
|
|
// DEPRECATED see RaftLogStore |
|
RaftBoltDBConfig *consul.RaftBoltDBConfig `mapstructure:"raft_boltdb" json:"-"` |
|
} |
|
|
|
func applyDeprecatedConfig(d *decodeTarget) (Config, []string) { |
|
dep := d.DeprecatedConfig |
|
var warns []string |
|
|
|
// TODO(boxofrad): The DeprecatedConfig struct only holds fields that were once |
|
// on the top-level Config struct (not nested fields e.g. ACL.Tokens) maybe we |
|
// should rethink this a bit? |
|
if d.Config.ACL.Tokens.AgentMaster != nil { |
|
if d.Config.ACL.Tokens.AgentRecovery == nil { |
|
d.Config.ACL.Tokens.AgentRecovery = d.Config.ACL.Tokens.AgentMaster |
|
} |
|
warns = append(warns, deprecationWarning("acl.tokens.agent_master", "acl.tokens.agent_recovery")) |
|
} |
|
|
|
if dep.ACLAgentMasterToken != nil { |
|
if d.Config.ACL.Tokens.AgentRecovery == nil { |
|
d.Config.ACL.Tokens.AgentRecovery = dep.ACLAgentMasterToken |
|
} |
|
warns = append(warns, deprecationWarning("acl_agent_master_token", "acl.tokens.agent_recovery")) |
|
} |
|
|
|
if dep.ACLAgentToken != nil { |
|
if d.Config.ACL.Tokens.Agent == nil { |
|
d.Config.ACL.Tokens.Agent = dep.ACLAgentToken |
|
} |
|
warns = append(warns, deprecationWarning("acl_agent_token", "acl.tokens.agent")) |
|
} |
|
|
|
if dep.ACLToken != nil { |
|
if d.Config.ACL.Tokens.Default == nil { |
|
d.Config.ACL.Tokens.Default = dep.ACLToken |
|
} |
|
warns = append(warns, deprecationWarning("acl_token", "acl.tokens.default")) |
|
} |
|
|
|
if d.Config.ACL.Tokens.Master != nil { |
|
if d.Config.ACL.Tokens.InitialManagement == nil { |
|
d.Config.ACL.Tokens.InitialManagement = d.Config.ACL.Tokens.Master |
|
} |
|
warns = append(warns, deprecationWarning("acl.tokens.master", "acl.tokens.initial_management")) |
|
} |
|
|
|
if dep.ACLMasterToken != nil { |
|
if d.Config.ACL.Tokens.InitialManagement == nil { |
|
d.Config.ACL.Tokens.InitialManagement = dep.ACLMasterToken |
|
} |
|
warns = append(warns, deprecationWarning("acl_master_token", "acl.tokens.initial_management")) |
|
} |
|
|
|
if dep.ACLReplicationToken != nil { |
|
if d.Config.ACL.Tokens.Replication == nil { |
|
d.Config.ACL.Tokens.Replication = dep.ACLReplicationToken |
|
} |
|
d.Config.ACL.TokenReplication = pBool(true) |
|
warns = append(warns, deprecationWarning("acl_replication_token", "acl.tokens.replication")) |
|
} |
|
|
|
if dep.EnableACLReplication != nil { |
|
if d.Config.ACL.TokenReplication == nil { |
|
d.Config.ACL.TokenReplication = dep.EnableACLReplication |
|
} |
|
warns = append(warns, deprecationWarning("enable_acl_replication", "acl.enable_token_replication")) |
|
} |
|
|
|
if dep.ACLDatacenter != nil { |
|
if d.Config.PrimaryDatacenter == nil { |
|
d.Config.PrimaryDatacenter = dep.ACLDatacenter |
|
} |
|
|
|
// when the acl_datacenter config is used it implicitly enables acls |
|
d.Config.ACL.Enabled = pBool(true) |
|
warns = append(warns, deprecationWarning("acl_datacenter", "primary_datacenter")) |
|
} |
|
|
|
if dep.ACLDefaultPolicy != nil { |
|
if d.Config.ACL.DefaultPolicy == nil { |
|
d.Config.ACL.DefaultPolicy = dep.ACLDefaultPolicy |
|
} |
|
warns = append(warns, deprecationWarning("acl_default_policy", "acl.default_policy")) |
|
} |
|
|
|
if dep.ACLDownPolicy != nil { |
|
if d.Config.ACL.DownPolicy == nil { |
|
d.Config.ACL.DownPolicy = dep.ACLDownPolicy |
|
} |
|
warns = append(warns, deprecationWarning("acl_down_policy", "acl.down_policy")) |
|
} |
|
|
|
if dep.ACLTTL != nil { |
|
if d.Config.ACL.TokenTTL == nil { |
|
d.Config.ACL.TokenTTL = dep.ACLTTL |
|
} |
|
warns = append(warns, deprecationWarning("acl_ttl", "acl.token_ttl")) |
|
} |
|
|
|
if dep.ACLEnableKeyListPolicy != nil { |
|
if d.Config.ACL.EnableKeyListPolicy == nil { |
|
d.Config.ACL.EnableKeyListPolicy = dep.ACLEnableKeyListPolicy |
|
} |
|
warns = append(warns, deprecationWarning("acl_enable_key_list_policy", "acl.enable_key_list_policy")) |
|
} |
|
|
|
if len(dep.StartJoinAddrsLAN) > 0 { |
|
d.Config.RetryJoinLAN = append(d.Config.RetryJoinLAN, dep.StartJoinAddrsLAN...) |
|
warns = append(warns, deprecationWarning("start_join", "retry_join")) |
|
} |
|
|
|
if len(dep.StartJoinAddrsWAN) > 0 { |
|
d.Config.RetryJoinWAN = append(d.Config.RetryJoinWAN, dep.StartJoinAddrsWAN...) |
|
warns = append(warns, deprecationWarning("start_join_wan", "retry_join_wan")) |
|
} |
|
|
|
if dep.RaftBoltDBConfig != nil { |
|
if d.Config.RaftLogStore.BoltDBConfig.NoFreelistSync == nil { |
|
d.Config.RaftLogStore.BoltDBConfig.NoFreelistSync = &dep.RaftBoltDBConfig.NoFreelistSync |
|
} |
|
warns = append(warns, deprecationWarning("raft_boltdb", "raft_logstore.boltdb")) |
|
} |
|
|
|
warns = append(warns, applyDeprecatedTLSConfig(dep, &d.Config)...) |
|
|
|
return d.Config, warns |
|
} |
|
|
|
func applyDeprecatedTLSConfig(dep DeprecatedConfig, cfg *Config) []string { |
|
var warns []string |
|
|
|
tls := &cfg.TLS |
|
defaults := &tls.Defaults |
|
internalRPC := &tls.InternalRPC |
|
https := &tls.HTTPS |
|
grpc := &tls.GRPC |
|
|
|
if v := dep.CAFile; v != nil { |
|
if defaults.CAFile == nil { |
|
defaults.CAFile = v |
|
} |
|
warns = append(warns, deprecationWarning("ca_file", "tls.defaults.ca_file")) |
|
} |
|
|
|
if v := dep.CAPath; v != nil { |
|
if defaults.CAPath == nil { |
|
defaults.CAPath = v |
|
} |
|
warns = append(warns, deprecationWarning("ca_path", "tls.defaults.ca_path")) |
|
} |
|
|
|
if v := dep.CertFile; v != nil { |
|
if defaults.CertFile == nil { |
|
defaults.CertFile = v |
|
} |
|
warns = append(warns, deprecationWarning("cert_file", "tls.defaults.cert_file")) |
|
} |
|
|
|
if v := dep.KeyFile; v != nil { |
|
if defaults.KeyFile == nil { |
|
defaults.KeyFile = v |
|
} |
|
warns = append(warns, deprecationWarning("key_file", "tls.defaults.key_file")) |
|
} |
|
|
|
if v := dep.TLSCipherSuites; v != nil { |
|
if defaults.TLSCipherSuites == nil { |
|
defaults.TLSCipherSuites = v |
|
} |
|
warns = append(warns, deprecationWarning("tls_cipher_suites", "tls.defaults.tls_cipher_suites")) |
|
} |
|
|
|
if v := dep.TLSMinVersion; v != nil { |
|
if defaults.TLSMinVersion == nil { |
|
// NOTE: This inner check for deprecated values should eventually be |
|
// removed |
|
if version, ok := types.DeprecatedConsulAgentTLSVersions[*v]; ok { |
|
// Log warning about deprecated config values |
|
warns = append(warns, fmt.Sprintf("'tls_min_version' value '%s' is deprecated, please specify '%s' instead", *v, version)) |
|
versionString := version.String() |
|
defaults.TLSMinVersion = &versionString |
|
} else { |
|
defaults.TLSMinVersion = v |
|
} |
|
} |
|
warns = append(warns, deprecationWarning("tls_min_version", "tls.defaults.tls_min_version")) |
|
} |
|
|
|
if v := dep.VerifyIncoming; v != nil { |
|
if defaults.VerifyIncoming == nil { |
|
defaults.VerifyIncoming = v |
|
} |
|
|
|
// Prior to Consul 1.12 it was not possible to enable client certificate |
|
// verification on the gRPC port. We must override GRPC.VerifyIncoming to |
|
// prevent it from inheriting Defaults.VerifyIncoming when we've mapped the |
|
// deprecated top-level verify_incoming field. |
|
if grpc.VerifyIncoming == nil { |
|
grpc.VerifyIncoming = pBool(false) |
|
tls.GRPCModifiedByDeprecatedConfig = &struct{}{} |
|
} |
|
|
|
warns = append(warns, deprecationWarning("verify_incoming", "tls.defaults.verify_incoming")) |
|
} |
|
|
|
if v := dep.VerifyIncomingHTTPS; v != nil { |
|
if https.VerifyIncoming == nil { |
|
https.VerifyIncoming = v |
|
} |
|
warns = append(warns, deprecationWarning("verify_incoming_https", "tls.https.verify_incoming")) |
|
} |
|
|
|
if v := dep.VerifyIncomingRPC; v != nil { |
|
if internalRPC.VerifyIncoming == nil { |
|
internalRPC.VerifyIncoming = v |
|
} |
|
warns = append(warns, deprecationWarning("verify_incoming_rpc", "tls.internal_rpc.verify_incoming")) |
|
} |
|
|
|
if v := dep.VerifyOutgoing; v != nil { |
|
if defaults.VerifyOutgoing == nil { |
|
defaults.VerifyOutgoing = v |
|
} |
|
warns = append(warns, deprecationWarning("verify_outgoing", "tls.defaults.verify_outgoing")) |
|
} |
|
|
|
if v := dep.VerifyServerHostname; v != nil { |
|
if internalRPC.VerifyServerHostname == nil { |
|
internalRPC.VerifyServerHostname = v |
|
} |
|
warns = append(warns, deprecationWarning("verify_server_hostname", "tls.internal_rpc.verify_server_hostname")) |
|
} |
|
|
|
if dep.TLSPreferServerCipherSuites != nil { |
|
warns = append(warns, "The 'tls_prefer_server_cipher_suites' field is deprecated and will be ignored.") |
|
} |
|
|
|
return warns |
|
} |
|
|
|
func deprecationWarning(old, new string) string { |
|
return fmt.Sprintf("The '%v' field is deprecated. Use the '%v' field instead.", old, new) |
|
} |
|
|
|
func pBool(v bool) *bool { |
|
return &v |
|
}
|
|
|