/
config.go
326 lines (299 loc) · 12.7 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package consuldp
import (
"crypto/tls"
"fmt"
"os"
"time"
"github.com/hashicorp/consul-server-connection-manager/discovery"
"github.com/hashicorp/go-rootcerts"
)
// ConsulConfig are the settings required to connect with Consul servers
type ConsulConfig struct {
// Addresses are Consul server addresses. Value can be:
// DNS name OR 'exec=<executable with optional args>'.
// Executable will be parsed by https://github.com/hashicorp/go-netaddrs.
Addresses string
// GRPCPort is the gRPC port on the Consul server.
GRPCPort int
// Credentials are the credentials used to authenticate requests and streams
// to the Consul servers (e.g. static ACL token or auth method credentials).
Credentials *CredentialsConfig
// ServerWatchDisabled opts-out of consuming the server update stream, for
// cases where its addresses are incorrect (e.g. servers are behind a load
// balancer).
ServerWatchDisabled bool
// TLS contains the TLS settings for communicating with Consul servers.
TLS *TLSConfig
}
// DNSServerConfig is the configuration for the transparent DNS proxy that will forward requests to consul
type DNSServerConfig struct {
// BindAddr is the address the DNS server will bind to. Default will be 127.0.0.1
BindAddr string
// Port is the port which the DNS server will bind to.
Port int
}
// TLSConfig contains the TLS settings for communicating with Consul servers.
type TLSConfig struct {
// Disabled causes consul-dataplane to communicate with Consul servers over
// an insecure plaintext connection. This is useful for testing, but should
// not be used in production.
Disabled bool
// CACertsPath is a path to a file or directory containing CA certificates to
// use to verify the server's certificate. This is only necessary if the server
// presents a certificate that isn't signed by a trusted public CA.
CACertsPath string
// ServerName is used to verify the server certificate's subject when it cannot
// be inferred from Consul.Addresses (i.e. it is not a DNS name).
ServerName string
// CertFile is a path to the client certificate that will be presented to
// Consul servers.
//
// Note: this is only required if servers have tls.grpc.verify_incoming enabled.
// Generally, issuing consul-dataplane instances with client certificates isn't
// necessary and creates significant operational burden.
CertFile string
// KeyFile is a path to the client private key that will be used to communicate
// with Consul servers (when CertFile is provided).
//
// Note: this is only required if servers have tls.grpc.verify_incoming enabled.
// Generally, issuing consul-dataplane instances with client certificates isn't
// necessary and creates significant operational burden.
KeyFile string
// InsecureSkipVerify causes consul-dataplane not to verify the certificate
// presented by the server. This is useful for testing, but should not be used
// in production.
InsecureSkipVerify bool
}
// Load creates a *tls.Config, including loading the CA and client certificates.
func (t *TLSConfig) Load() (*tls.Config, error) {
if t.Disabled {
return nil, nil
}
tlsCfg := &tls.Config{
ServerName: t.ServerName,
InsecureSkipVerify: t.InsecureSkipVerify,
}
var rootCfg rootcerts.Config
if path := t.CACertsPath; path != "" {
fi, err := os.Stat(path)
if err != nil {
return nil, fmt.Errorf("failed to read CA certs: %w", err)
}
if fi.IsDir() {
rootCfg.CAPath = path
} else {
rootCfg.CAFile = path
}
}
if err := rootcerts.ConfigureTLS(tlsCfg, &rootCfg); err != nil {
return nil, fmt.Errorf("failed to configure CA certs: %w", err)
}
if t.CertFile != "" && t.KeyFile != "" {
cert, err := tls.LoadX509KeyPair(t.CertFile, t.KeyFile)
if err != nil {
return nil, fmt.Errorf("failed to configure TLS cert: %w", err)
}
tlsCfg.Certificates = []tls.Certificate{cert}
}
return tlsCfg, nil
}
// CredentialsConfig contains the credentials used to authenticate requests and
// streams to the Consul servers.
type CredentialsConfig struct {
// Type identifies the type of credentials provided.
Type CredentialsType
// Static contains the static ACL token.
Static StaticCredentialsConfig
// Login contains the credentials for logging in with an auth method.
Login LoginCredentialsConfig
}
// CredentialsType identifies the type of credentials provided.
type CredentialsType string
const (
// CredentialsTypeNone indicates that no credentials were given.
CredentialsTypeNone CredentialsType = ""
// CredentialsTypeStatic indicates that a static ACL token was provided.
CredentialsTypeStatic CredentialsType = "static"
// CredentialsTypeLogin indicates that credentials were provided to log in with
// an auth method.
CredentialsTypeLogin CredentialsType = "login"
)
// StaticCredentialsConfig contains the static ACL token that will be used to
// authenticate requests and streams to the Consul servers.
type StaticCredentialsConfig struct {
// Token is the static ACL token.
Token string
}
// LoginCredentialsConfig contains credentials for logging in with an auth method.
type LoginCredentialsConfig struct {
// AuthMethod is the name of the Consul auth method.
AuthMethod string
// Namespace is the namespace containing the auth method.
Namespace string
// Partition is the partition containing the auth method.
Partition string
// Datacenter is the datacenter containing the auth method.
Datacenter string
// BearerToken is the bearer token presented to the auth method.
BearerToken string
// BearerTokenPath is the path to a file containing a bearer token.
BearerTokenPath string
// Meta is the arbitrary set of key-value pairs to attach to the
// token. These are included in the Description field of the token.
Meta map[string]string
}
// ToDiscoveryCredentials creates a discovery.Credentials, including loading a
// bearer token from a file if BearerPath is given.
func (cc *CredentialsConfig) ToDiscoveryCredentials() (discovery.Credentials, error) {
var creds discovery.Credentials
switch cc.Type {
case CredentialsTypeNone:
return creds, nil
case CredentialsTypeStatic:
creds.Type = discovery.CredentialsTypeStatic
creds.Static = discovery.StaticTokenCredential{
Token: cc.Static.Token,
}
case CredentialsTypeLogin:
creds.Type = discovery.CredentialsTypeLogin
creds.Login = discovery.LoginCredential{
AuthMethod: cc.Login.AuthMethod,
Namespace: cc.Login.Namespace,
Partition: cc.Login.Partition,
Datacenter: cc.Login.Datacenter,
BearerToken: cc.Login.BearerToken,
Meta: cc.Login.Meta,
}
if creds.Login.BearerToken == "" && cc.Login.BearerTokenPath != "" {
bearer, err := os.ReadFile(cc.Login.BearerTokenPath)
if err != nil {
return creds, fmt.Errorf("failed to read bearer token from file: %w", err)
}
creds.Login.BearerToken = string(bearer)
}
default:
return creds, fmt.Errorf("unknown credential type: %s", cc.Type)
}
return creds, nil
}
// LoggingConfig can be used to specify logger configuration settings.
type LoggingConfig struct {
// Name of the subsystem to prefix logs with
Name string
// LogLevel is the logging level. Valid values - TRACE, DEBUG, INFO, WARN, ERROR
LogLevel string
// LogJSON controls if the output should be in JSON.
LogJSON bool
}
// ProxyConfig contains details of the proxy service instance.
type ProxyConfig struct {
// NodeName is the name of the node to which the proxy service instance is
// registered. Ignored in Consul Catalog V2.
NodeName string
// NodeName is the ID of the node to which the proxy service instance is
// registered. Ignored in Consul Catalog V2.
NodeID string
// ProxyID is the ID of the proxy service instance or workload.
ProxyID string
// Namespace is the Consul Enterprise namespace in which the proxy service
// instance or workload is registered.
Namespace string
// Partition is the Consul Enterprise partition in which the proxy service
// instance or workload is registered.
Partition string
}
// TelemetryConfig contains configuration for telemetry.
type TelemetryConfig struct {
// UseCentralConfig controls whether the proxy will apply the central telemetry
// configuration.
UseCentralConfig bool
// Prometheus contains Prometheus-specific configuration that cannot be
// determined from central telemetry configuration.
Prometheus PrometheusTelemetryConfig
}
// PrometheusTelemetryConfig contains Prometheus-specific telemetry config.
type PrometheusTelemetryConfig struct {
// RetentionTime controls the duration that metrics are aggregated for.
RetentionTime time.Duration
// CACertsPath is a path to a file or directory containing CA certificates
// to use to verify the Prometheus server's certificate. This is only
// necessary if the server presents a certificate that isn't signed by a
// trusted public CA.
CACertsPath string
// KeyFile is a path to the client private key used for serving Prometheus
// metrics.
KeyFile string
// CertFile is a path to the client certificate used for serving Prometheus
// metrics.
CertFile string
// ServiceMetricsURL is an optional URL that must serve Prometheus metrics.
// The metrics at this URL are scraped and merged into Consul Dataplane's
// main Prometheus metrics.
ServiceMetricsURL string
// ScrapePath is the URL path where Envoy serves Prometheus metrics.
ScrapePath string
// MergePort is the port to server merged metrics.
MergePort int
}
// EnvoyConfig contains configuration for the Envoy process.
type EnvoyConfig struct {
// AdminBindAddress is the address on which the Envoy admin server will be available.
AdminBindAddress string
// AdminBindPort is the port on which the Envoy admin server will be available.
AdminBindPort int
// ReadyBindAddress is the address on which the Envoy readiness probe will be available.
ReadyBindAddress string
// ReadyBindPort is the port on which the Envoy readiness probe will be available.
ReadyBindPort int
// EnvoyConcurrency is the envoy concurrency https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-concurrency
EnvoyConcurrency int
// EnvoyDrainTime is the time in seconds for which Envoy will drain connections
// during a hot restart, when listeners are modified or removed via LDS, or when
// initiated manually via a request to the Envoy admin API.
// The Envoy HTTP connection manager filter will add “Connection: close” to HTTP1
// requests, send HTTP2 GOAWAY, and terminate connections on request completion
// (after the delayed close period).
// https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-drain-time-s
EnvoyDrainTimeSeconds int
// EnvoyDrainStrategy is the behaviour of Envoy during the drain sequence.
// Determines whether all open connections should be encouraged to drain
// immediately or to increase the percentage gradually as the drain time elapses.
// https://www.envoyproxy.io/docs/envoy/latest/operations/cli#cmdoption-drain-strategy
EnvoyDrainStrategy string
// ShutdownDrainListenersEnabled configures whether to start draining proxy listeners before terminating the proxy container. Drain time defaults to the value of ShutdownGracePeriodSeconds, but may be set explicitly with EnvoyDrainTimeSeconds.
ShutdownDrainListenersEnabled bool
// ShutdownGracePeriodSeconds is the amount of time to wait after receiving a SIGTERM before terminating the proxy container.
ShutdownGracePeriodSeconds int
// GracefulShutdownPath is the path on which the HTTP endpoint to initiate a graceful shutdown of Envoy is served.
GracefulShutdownPath string
// StartupGracePeriodSeconds is the amount of time to block application after startup for Envoy proxy to be ready.
StartupGracePeriodSeconds int
// GracefulStartupPath is the path where the HTTP endpoint to initiate a graceful startup of Envoy is served.
GracefulStartupPath string
// GracefulPort is the port on which the HTTP server for graceful shutdown endpoints will be available.
GracefulPort int
// DumpEnvoyConfigOnExitEnabled configures whether to call Envoy's /config_dump endpoint during consul-dataplane controlled shutdown.
DumpEnvoyConfigOnExitEnabled bool
// ExtraArgs are the extra arguments passed to envoy at startup of the proxy
ExtraArgs []string
}
// XDSServer contains the configuration of the xDS server.
type XDSServer struct {
// BindAddress is the address on which the Envoy xDS server will be available.
BindAddress string
// BindPort is the address on which the Envoy xDS port will be available.
BindPort int
}
// Config is the configuration used by consul-dataplane, consolidated
// from various sources - CLI flags, env vars, config file settings.
type Config struct {
DNSServer *DNSServerConfig
Consul *ConsulConfig
Proxy *ProxyConfig
Logging *LoggingConfig
Telemetry *TelemetryConfig
Envoy *EnvoyConfig
XDSServer *XDSServer
}