render templates with external functions

Some consumers of `consul-template` use it like a library, where the application
runs the runner in-process. For projects like Nomad which need to run with a
high level of privilege, this is problematic in that its challenging to secure
the operations that read and write from disk without running the entirety of CT
as an external process (which carries a lot of overhead for Nomad workloads).

Add a `RendererFunc` and `ReaderFunc` interface to allow Nomad to inject a
sandboxed subprocess when reading from disk and writing to disk.

This implementation is currently being used in Nomad 1.7.4, 1.6.7, and
1.5.14 as a mitigation for hashicorp/nomad#19888. See
hashicorp/nomad@df86503
for example usage.

config/config.go

@@ -14,6 +14,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/hashicorp/consul-template/renderer"
 	"github.com/hashicorp/consul-template/signals"
 	"github.com/hashicorp/hcl"
 	homedir "github.com/mitchellh/go-homedir"
@@ -111,8 +112,17 @@ type Config struct {
 	// ErrOnFailedLookup, when enabled, will trigger an error if a dependency
 	// fails to return a value.
 	ErrOnFailedLookup bool `mapstructure:"err_on_failed_lookup"`
+
+	// RendererFunc is called whenever the template needs to be written, and
+	// will default to renderer.Render. This is intended for use when embedding
+	// Consul Template in another application
+	RendererFunc renderer.Renderer `mapstructure:"-" json:"-"`
+
+	ReaderFunc Reader `mapstructure:"-" json:"-"`
 }
 
+type Reader func(src string) ([]byte, error)
+
 // Copy returns a deep copy of the current configuration. This is useful because
 // the nested data structures may be shared.
 func (c *Config) Copy() *Config {
@@ -182,6 +192,9 @@ func (c *Config) Copy() *Config {
 		o.Nomad = c.Nomad.Copy()
 	}
 
+	o.RendererFunc = c.RendererFunc
+	o.ReaderFunc = c.ReaderFunc
+
 	return &o
 }
 
@@ -275,6 +288,13 @@ func (c *Config) Merge(o *Config) *Config {
 		r.Nomad = r.Nomad.Merge(o.Nomad)
 	}
 
+	if o.RendererFunc != nil {
+		r.RendererFunc = o.RendererFunc
+	}
+	if o.ReaderFunc != nil {
+		r.ReaderFunc = o.ReaderFunc
+	}
+
 	return r
 }
 
@@ -636,6 +656,13 @@ func (c *Config) Finalize() {
 	if c.BlockQueryWaitTime == nil {
 		c.BlockQueryWaitTime = TimeDuration(DefaultBlockQueryWaitTime)
 	}
+
+	if c.RendererFunc == nil {
+		c.RendererFunc = renderer.Render
+	}
+	if c.ReaderFunc == nil {
+		c.ReaderFunc = os.ReadFile
+	}
 }
 
 func stringFromEnv(list []string, def string) *string {

manager/runner.go

@@ -114,6 +114,10 @@ type Runner struct {
 	// stopped is a boolean of whether the runner is stopped
 	stopped bool
 
+	rendererFn renderer.Renderer
+
+	readerFn config.Reader
+
 	// finalConfigCopy provides access to a static copy of the finalized
 	// Runner config. This prevents risk of data races when reading config for
 	// other elements started by the Runner, like template functions.
@@ -200,6 +204,15 @@ func NewRunner(config *config.Config, dry bool) (*Runner, error) {
 		brain:         template.NewBrain(),
 		quiescenceMap: make(map[string]*quiescence),
 		quiescenceCh:  make(chan *template.Template),
+		rendererFn:    config.RendererFunc,
+		readerFn:      config.ReaderFunc,
+	}
+
+	if runner.rendererFn == nil {
+		runner.rendererFn = renderer.Render
+	}
+	if runner.readerFn == nil {
+		runner.readerFn = os.ReadFile
 	}
 
 	// Create the clientset
@@ -853,7 +866,7 @@ func (r *Runner) runTemplate(tmpl *template.Template, runCtx *templateRunCtx) (*
 		log.Printf("[DEBUG] (runner) rendering %s", templateConfig.Display())
 
 		// Render the template, taking dry mode into account
-		result, err := renderer.Render(&renderer.RenderInput{
+		result, err := r.rendererFn(&renderer.RenderInput{
 			Backup:         config.BoolVal(templateConfig.Backup),
 			Contents:       result.Output,
 			CreateDestDirs: config.BoolVal(templateConfig.CreateDestDirs),
@@ -975,6 +988,7 @@ func (r *Runner) init(clients *dep.ClientSet) error {
 			SandboxPath:      config.StringVal(ctmpl.SandboxPath),
 			Destination:      config.StringVal(ctmpl.Destination),
 			Config:           ctmpl,
+			ReaderFunc:       r.config.ReaderFunc,
 		})
 		if err != nil {
 			return err

renderer/renderer.go

@@ -59,9 +59,12 @@ type RenderResult struct {
 	Contents []byte
 }
 
+type Renderer func(*RenderInput) (*RenderResult, error)
+
 // Render atomically renders a file contents to disk, returning a result of
 // whether it would have rendered and actually did render.
 func Render(i *RenderInput) (*RenderResult, error) {
+
 	existing, err := os.ReadFile(i.Path)
 	fileExists := !os.IsNotExist(err)
 	if err != nil && fileExists {

template/template.go

@@ -8,7 +8,6 @@ import (
 	"crypto/md5"
 	"encoding/hex"
 	"fmt"
-	"os"
 	"strings"
 	"text/template"
 
@@ -117,6 +116,9 @@ type NewTemplateInput struct {
 
 	// Config keeps local reference to config struct
 	Config *config.TemplateConfig
+
+	// ReaderFunc is called to read in any source file
+	ReaderFunc config.Reader
 }
 
 // NewTemplate creates and parses a new Consul Template template at the given
@@ -154,7 +156,7 @@ func NewTemplate(i *NewTemplateInput) (*Template, error) {
 	}
 
 	if i.Source != "" {
-		contents, err := os.ReadFile(i.Source)
+		contents, err := i.ReaderFunc(i.Source)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to read template")
 		}

template/template_test.go

@@ -119,6 +119,9 @@ func TestNewTemplate(t *testing.T) {
 
 	for i, tc := range cases {
 		t.Run(fmt.Sprintf("%d_%s", i, tc.name), func(t *testing.T) {
+			if tc.i != nil {
+				tc.i.ReaderFunc = os.ReadFile
+			}
 			a, err := NewTemplate(tc.i)
 			if (err != nil) != tc.err {
 				t.Fatal(err)