mirror of https://github.com/hashicorp/consul
139 lines
4.5 KiB
Go
139 lines
4.5 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package autoconf
|
|
|
|
import (
|
|
"github.com/hashicorp/consul/agent/config"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
"github.com/hashicorp/consul/proto/private/pbautoconf"
|
|
"github.com/hashicorp/consul/proto/private/pbconfig"
|
|
"github.com/hashicorp/consul/proto/private/pbconnect"
|
|
"github.com/hashicorp/consul/types"
|
|
)
|
|
|
|
// translateAgentConfig is meant to take in a proto/pbconfig.Config type
|
|
// and craft the corresponding agent/config.Config type. The need for this function
|
|
// should eventually be removed with the protobuf and normal version converging.
|
|
// In the meantime, its not desirable to have the flatter Config struct in protobufs
|
|
// as in the long term we want a configuration with more nested groupings.
|
|
//
|
|
// Why is this function not in the proto/pbconfig package? The answer, that
|
|
// package cannot import the agent/config package without running into import cycles.
|
|
func translateConfig(c *pbconfig.Config) config.Config {
|
|
result := config.Config{
|
|
Datacenter: stringPtrOrNil(c.Datacenter),
|
|
PrimaryDatacenter: stringPtrOrNil(c.PrimaryDatacenter),
|
|
NodeName: stringPtrOrNil(c.NodeName),
|
|
// only output the SegmentName in the configuration if it's non-empty
|
|
// this will avoid a warning later when parsing the persisted configuration
|
|
SegmentName: stringPtrOrNil(c.SegmentName),
|
|
// only output the Partition in the configuration if it's non-empty
|
|
// this will avoid a warning later when parsing the persisted configuration
|
|
Partition: stringPtrOrNil(c.Partition),
|
|
}
|
|
|
|
if a := c.AutoEncrypt; a != nil {
|
|
result.AutoEncrypt = config.AutoEncrypt{
|
|
TLS: &a.TLS,
|
|
DNSSAN: a.DNSSAN,
|
|
IPSAN: a.IPSAN,
|
|
AllowTLS: &a.AllowTLS,
|
|
}
|
|
}
|
|
|
|
if a := c.ACL; a != nil {
|
|
result.ACL = config.ACL{
|
|
Enabled: &a.Enabled,
|
|
PolicyTTL: stringPtrOrNil(a.PolicyTTL),
|
|
RoleTTL: stringPtrOrNil(a.RoleTTL),
|
|
TokenTTL: stringPtrOrNil(a.TokenTTL),
|
|
DownPolicy: stringPtrOrNil(a.DownPolicy),
|
|
DefaultPolicy: stringPtrOrNil(a.DefaultPolicy),
|
|
EnableKeyListPolicy: &a.EnableKeyListPolicy,
|
|
EnableTokenPersistence: &a.EnableTokenPersistence,
|
|
}
|
|
|
|
if t := c.ACL.Tokens; t != nil {
|
|
tokens := make([]config.ServiceProviderToken, 0, len(t.ManagedServiceProvider))
|
|
for _, mspToken := range t.ManagedServiceProvider {
|
|
tokens = append(tokens, config.ServiceProviderToken{
|
|
AccessorID: &mspToken.AccessorID,
|
|
SecretID: &mspToken.SecretID,
|
|
})
|
|
}
|
|
|
|
result.ACL.Tokens = config.Tokens{
|
|
InitialManagement: stringPtrOrNil(t.InitialManagement),
|
|
AgentRecovery: stringPtrOrNil(t.AgentRecovery),
|
|
Replication: stringPtrOrNil(t.Replication),
|
|
Default: stringPtrOrNil(t.Default),
|
|
Agent: stringPtrOrNil(t.Agent),
|
|
ManagedServiceProvider: tokens,
|
|
}
|
|
}
|
|
}
|
|
|
|
if g := c.Gossip; g != nil {
|
|
result.RetryJoinLAN = g.RetryJoinLAN
|
|
|
|
if e := c.Gossip.Encryption; e != nil {
|
|
result.EncryptKey = stringPtrOrNil(e.Key)
|
|
result.EncryptVerifyIncoming = &e.VerifyIncoming
|
|
result.EncryptVerifyOutgoing = &e.VerifyOutgoing
|
|
}
|
|
}
|
|
|
|
if t := c.TLS; t != nil {
|
|
result.TLS.Defaults = config.TLSProtocolConfig{
|
|
VerifyOutgoing: &t.VerifyOutgoing,
|
|
TLSCipherSuites: stringPtrOrNil(t.CipherSuites),
|
|
}
|
|
|
|
// NOTE: This inner check for deprecated values should eventually be
|
|
// removed, and possibly replaced with a versioning scheme for autoconfig
|
|
// or a proper integration with the deprecated config handling in
|
|
// agent/config/deprecated.go
|
|
if v, ok := types.DeprecatedConsulAgentTLSVersions[t.MinVersion]; ok {
|
|
result.TLS.Defaults.TLSMinVersion = stringPtrOrNil(v.String())
|
|
} else {
|
|
result.TLS.Defaults.TLSMinVersion = stringPtrOrNil(t.MinVersion)
|
|
}
|
|
|
|
result.TLS.InternalRPC.VerifyServerHostname = &t.VerifyServerHostname
|
|
}
|
|
|
|
return result
|
|
}
|
|
|
|
func stringPtrOrNil(v string) *string {
|
|
if v == "" {
|
|
return nil
|
|
}
|
|
return &v
|
|
}
|
|
|
|
func extractSignedResponse(resp *pbautoconf.AutoConfigResponse) (*structs.SignedResponse, error) {
|
|
roots, err := pbconnect.CARootsToStructs(resp.CARoots)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
cert, err := pbconnect.IssuedCertToStructs(resp.Certificate)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
out := &structs.SignedResponse{
|
|
IssuedCert: *cert,
|
|
ConnectCARoots: *roots,
|
|
ManualCARoots: resp.ExtraCACertificates,
|
|
}
|
|
|
|
if resp.Config != nil && resp.Config.TLS != nil {
|
|
out.VerifyServerHostname = resp.Config.TLS.VerifyServerHostname
|
|
}
|
|
|
|
return out, err
|
|
}
|