mirror of https://github.com/hashicorp/consul
259 lines
8.8 KiB
Go
259 lines
8.8 KiB
Go
package config
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net"
|
|
"reflect"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
"github.com/hashicorp/consul/tlsutil"
|
|
"github.com/hashicorp/consul/types"
|
|
"golang.org/x/time/rate"
|
|
)
|
|
|
|
// RuntimeConfig specifies the configuration the consul agent actually
|
|
// uses. Is is derived from one or more Config structures which can come
|
|
// from files, flags and/or environment variables.
|
|
type RuntimeConfig struct {
|
|
// non-user configurable values
|
|
AEInterval time.Duration
|
|
ACLDisabledTTL time.Duration
|
|
CheckDeregisterIntervalMin time.Duration
|
|
CheckReapInterval time.Duration
|
|
SegmentLimit int
|
|
SegmentNameLimit int
|
|
SyncCoordinateRateTarget float64
|
|
SyncCoordinateIntervalMin time.Duration
|
|
Revision string
|
|
Version string
|
|
VersionPrerelease string
|
|
|
|
// consul config
|
|
ConsulCoordinateUpdateMaxBatches int
|
|
ConsulCoordinateUpdateBatchSize int
|
|
ConsulCoordinateUpdatePeriod time.Duration
|
|
ConsulRaftElectionTimeout time.Duration
|
|
ConsulRaftHeartbeatTimeout time.Duration
|
|
ConsulRaftLeaderLeaseTimeout time.Duration
|
|
ConsulSerfLANGossipInterval time.Duration
|
|
ConsulSerfLANProbeInterval time.Duration
|
|
ConsulSerfLANProbeTimeout time.Duration
|
|
ConsulSerfLANSuspicionMult int
|
|
ConsulSerfWANGossipInterval time.Duration
|
|
ConsulSerfWANProbeInterval time.Duration
|
|
ConsulSerfWANProbeTimeout time.Duration
|
|
ConsulSerfWANSuspicionMult int
|
|
ConsulServerHealthInterval time.Duration
|
|
|
|
ACLAgentMasterToken string
|
|
ACLAgentToken string
|
|
ACLDatacenter string
|
|
ACLDefaultPolicy string
|
|
ACLDownPolicy string
|
|
ACLEnforceVersion8 bool
|
|
ACLMasterToken string
|
|
ACLReplicationToken string
|
|
ACLTTL time.Duration
|
|
ACLToken string
|
|
|
|
AutopilotCleanupDeadServers bool
|
|
AutopilotDisableUpgradeMigration bool
|
|
AutopilotLastContactThreshold time.Duration
|
|
AutopilotMaxTrailingLogs int
|
|
AutopilotRedundancyZoneTag string
|
|
AutopilotServerStabilizationTime time.Duration
|
|
AutopilotUpgradeVersionTag string
|
|
|
|
DNSAllowStale bool
|
|
DNSDisableCompression bool
|
|
DNSDomain string
|
|
DNSEnableTruncate bool
|
|
DNSMaxStale time.Duration
|
|
DNSNodeTTL time.Duration
|
|
DNSOnlyPassing bool
|
|
DNSRecursorTimeout time.Duration
|
|
DNSServiceTTL map[string]time.Duration
|
|
DNSUDPAnswerLimit int
|
|
DNSRecursors []string
|
|
|
|
HTTPBlockEndpoints []string
|
|
HTTPResponseHeaders map[string]string
|
|
|
|
TelemetryCirconusAPIApp string
|
|
TelemetryCirconusAPIToken string
|
|
TelemetryCirconusAPIURL string
|
|
TelemetryCirconusBrokerID string
|
|
TelemetryCirconusBrokerSelectTag string
|
|
TelemetryCirconusCheckDisplayName string
|
|
TelemetryCirconusCheckForceMetricActivation string
|
|
TelemetryCirconusCheckID string
|
|
TelemetryCirconusCheckInstanceID string
|
|
TelemetryCirconusCheckSearchTag string
|
|
TelemetryCirconusCheckTags string
|
|
TelemetryCirconusSubmissionInterval string
|
|
TelemetryCirconusSubmissionURL string
|
|
TelemetryDisableHostname bool
|
|
TelemetryDogstatsdAddr string
|
|
TelemetryDogstatsdTags []string
|
|
TelemetryFilterDefault bool
|
|
TelemetryAllowedPrefixes []string
|
|
TelemetryBlockedPrefixes []string
|
|
TelemetryStatsdAddr string
|
|
TelemetryStatsiteAddr string
|
|
TelemetryStatsitePrefix string
|
|
|
|
AdvertiseAddrLAN *net.IPAddr
|
|
AdvertiseAddrWAN *net.IPAddr
|
|
BindAddr *net.IPAddr
|
|
Bootstrap bool
|
|
BootstrapExpect int
|
|
CAFile string
|
|
CAPath string
|
|
CertFile string
|
|
CheckUpdateInterval time.Duration
|
|
Checks []*structs.CheckDefinition
|
|
ClientAddrs []*net.IPAddr
|
|
DNSAddrs []net.Addr
|
|
DNSPort int
|
|
DataDir string
|
|
Datacenter string
|
|
DevMode bool
|
|
DisableAnonymousSignature bool
|
|
DisableCoordinates bool
|
|
DisableHostNodeID bool
|
|
DisableKeyringFile bool
|
|
DisableRemoteExec bool
|
|
DisableUpdateCheck bool
|
|
EnableACLReplication bool
|
|
EnableDebug bool
|
|
EnableScriptChecks bool
|
|
EnableSyslog bool
|
|
EnableUI bool
|
|
EncryptKey string
|
|
EncryptVerifyIncoming bool
|
|
EncryptVerifyOutgoing bool
|
|
HTTPAddrs []net.Addr
|
|
HTTPPort int
|
|
HTTPSAddrs []net.Addr
|
|
HTTPSPort int
|
|
KeyFile string
|
|
LeaveOnTerm bool
|
|
LogLevel string
|
|
NodeID types.NodeID
|
|
NodeMeta map[string]string
|
|
NodeName string
|
|
NonVotingServer bool
|
|
PidFile string
|
|
RPCAdvertiseAddr *net.TCPAddr
|
|
RPCBindAddr *net.TCPAddr
|
|
RPCMaxBurst int
|
|
RPCProtocol int
|
|
RPCRateLimit rate.Limit
|
|
RaftProtocol int
|
|
ReconnectTimeoutLAN time.Duration
|
|
ReconnectTimeoutWAN time.Duration
|
|
RejoinAfterLeave bool
|
|
RetryJoinIntervalLAN time.Duration
|
|
RetryJoinIntervalWAN time.Duration
|
|
RetryJoinLAN []string
|
|
RetryJoinMaxAttemptsLAN int
|
|
RetryJoinMaxAttemptsWAN int
|
|
RetryJoinWAN []string
|
|
SegmentName string
|
|
Segments []structs.NetworkSegment
|
|
SerfAdvertiseAddrLAN *net.TCPAddr
|
|
SerfAdvertiseAddrWAN *net.TCPAddr
|
|
SerfBindAddrLAN *net.TCPAddr
|
|
SerfBindAddrWAN *net.TCPAddr
|
|
SerfPortLAN int
|
|
SerfPortWAN int
|
|
ServerMode bool
|
|
ServerName string
|
|
ServerPort int
|
|
Services []*structs.ServiceDefinition
|
|
SessionTTLMin time.Duration
|
|
SkipLeaveOnInt bool
|
|
StartJoinAddrsLAN []string
|
|
StartJoinAddrsWAN []string
|
|
SyslogFacility string
|
|
TLSCipherSuites []uint16
|
|
TLSMinVersion string
|
|
TLSPreferServerCipherSuites bool
|
|
TaggedAddresses map[string]string
|
|
TranslateWANAddrs bool
|
|
UIDir string
|
|
UnixSocketGroup string
|
|
UnixSocketMode string
|
|
UnixSocketUser string
|
|
VerifyIncoming bool
|
|
VerifyIncomingHTTPS bool
|
|
VerifyIncomingRPC bool
|
|
VerifyOutgoing bool
|
|
VerifyServerHostname bool
|
|
Watches []map[string]interface{}
|
|
}
|
|
|
|
// IncomingHTTPSConfig returns the TLS configuration for HTTPS
|
|
// connections to consul.
|
|
func (c *RuntimeConfig) IncomingHTTPSConfig() (*tls.Config, error) {
|
|
tc := &tlsutil.Config{
|
|
VerifyIncoming: c.VerifyIncoming || c.VerifyIncomingHTTPS,
|
|
VerifyOutgoing: c.VerifyOutgoing,
|
|
CAFile: c.CAFile,
|
|
CAPath: c.CAPath,
|
|
CertFile: c.CertFile,
|
|
KeyFile: c.KeyFile,
|
|
NodeName: c.NodeName,
|
|
ServerName: c.ServerName,
|
|
TLSMinVersion: c.TLSMinVersion,
|
|
CipherSuites: c.TLSCipherSuites,
|
|
PreferServerCipherSuites: c.TLSPreferServerCipherSuites,
|
|
}
|
|
return tc.IncomingTLSConfig()
|
|
}
|
|
|
|
func (c *RuntimeConfig) Sanitized() RuntimeConfig {
|
|
isSecret := func(name string) bool {
|
|
name = strings.ToLower(name)
|
|
return strings.Contains(name, "key") || strings.Contains(name, "token") || strings.Contains(name, "secret")
|
|
}
|
|
|
|
cleanRetryJoin := func(a []string) (b []string) {
|
|
for _, line := range a {
|
|
var fields []string
|
|
for _, f := range strings.Fields(line) {
|
|
if isSecret(f) {
|
|
kv := strings.SplitN(f, "=", 2)
|
|
fields = append(fields, kv[0]+"=hidden")
|
|
} else {
|
|
fields = append(fields, f)
|
|
}
|
|
}
|
|
b = append(b, strings.Join(fields, " "))
|
|
}
|
|
return b
|
|
}
|
|
|
|
// sanitize all fields with secrets
|
|
typ := reflect.TypeOf(RuntimeConfig{})
|
|
rawval := reflect.ValueOf(*c)
|
|
sanval := reflect.New(typ) // *RuntimeConfig
|
|
for i := 0; i < typ.NumField(); i++ {
|
|
f := typ.Field(i)
|
|
if f.Type.Kind() == reflect.String && isSecret(f.Name) {
|
|
sanval.Elem().Field(i).Set(reflect.ValueOf("hidden"))
|
|
} else {
|
|
sanval.Elem().Field(i).Set(rawval.Field(i))
|
|
}
|
|
}
|
|
san := sanval.Elem().Interface().(RuntimeConfig)
|
|
|
|
// sanitize retry-join config strings
|
|
san.RetryJoinLAN = cleanRetryJoin(san.RetryJoinLAN)
|
|
san.RetryJoinWAN = cleanRetryJoin(san.RetryJoinWAN)
|
|
|
|
return san
|
|
}
|