Merge pull request #7714 from hashicorp/oss-sync/msp-agent-token

hashicorp · May 4, 2020 · daec810 · daec810
2 parents 55050be + cbe3a70
commit daec810
Show file tree

Hide file tree

Showing 21 changed files with 555 additions and 78 deletions.
diff --git a/agent/agent.go b/agent/agent.go
@@ -1413,7 +1413,7 @@ func (a *Agent) consulConfig() (*consul.Config, error) {
 
 	base.ConfigEntryBootstrap = a.config.ConfigEntryBootstrap
 
-	return base, nil
+	return a.enterpriseConsulConfig(base)
 }
 
 // Setup the serf and memberlist config for any defined network segments.

diff --git a/agent/agent_oss.go b/agent/agent_oss.go
@@ -32,6 +32,11 @@ func (a *Agent) reloadEnterprise(conf *config.RuntimeConfig) error {
 	return nil
 }
 
+// enterpriseConsulConfig is a noop stub for the func defined in agent_ent.go
+func (a *Agent) enterpriseConsulConfig(base *consul.Config) (*consul.Config, error) {
+	return base, nil
+}
+
 // WriteEvent is a noop stub for the func defined agent_ent.go
 func (a *Agent) WriteEvent(eventType string, payload interface{}) {
 }
diff --git a/agent/config/builder.go b/agent/config/builder.go
@@ -278,11 +278,14 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
 		if s.Name == "" || s.Data == "" {
 			continue
 		}
-		c2, err := Parse(s.Data, s.Format)
+		c2, keys, err := Parse(s.Data, s.Format)
 		if err != nil {
 			return RuntimeConfig{}, fmt.Errorf("Error parsing %s: %s", s.Name, err)
 		}
 
+		// for now this is a soft failure that will cause warnings but not actual problems
+		b.validateEnterpriseConfigKeys(&c2, keys)
+
 		// if we have a single 'check' or 'service' we need to add them to the
 		// list of checks and services first since we cannot merge them
 		// generically and later values would clobber earlier ones.

diff --git a/agent/config/builder_oss.go b/agent/config/builder_oss.go
@@ -2,6 +2,72 @@
 
 package config
 
+import (
+	"fmt"
+
+	"github.com/hashicorp/go-multierror"
+)
+
+var (
+	enterpriseConfigMap map[string]func(*Config) = map[string]func(c *Config){
+		"non_voting_server": func(c *Config) {
+			// to maintain existing compatibility we don't nullify the value
+		},
+		"segment": func(c *Config) {
+			// to maintain existing compatibility we don't nullify the value
+		},
+		"segments": func(c *Config) {
+			// to maintain existing compatibility we don't nullify the value
+		},
+		"autopilot.redundancy_zone_tag": func(c *Config) {
+			// to maintain existing compatibility we don't nullify the value
+		},
+		"autopilot.upgrade_version_tag": func(c *Config) {
+			// to maintain existing compatibility we don't nullify the value
+		},
+		"autopilot.disable_upgrade_migration": func(c *Config) {
+			// to maintain existing compatibility we don't nullify the value
+		},
+		"dns_config.prefer_namespace": func(c *Config) {
+			c.DNS.PreferNamespace = nil
+		},
+		"acl.msp_disable_bootstrap": func(c *Config) {
+			c.ACL.MSPDisableBootstrap = nil
+		},
+		"acl.tokens.managed_service_provider": func(c *Config) {
+			c.ACL.Tokens.ManagedServiceProvider = nil
+		},
+	}
+)
+
+type enterpriseConfigKeyError struct {
+	key string
+}
+
+func (e enterpriseConfigKeyError) Error() string {
+	return fmt.Sprintf("%q is a Consul Enterprise configuration and will have no effect", e.key)
+}
+
 func (_ *Builder) BuildEnterpriseRuntimeConfig(_ *Config) (EnterpriseRuntimeConfig, error) {
 	return EnterpriseRuntimeConfig{}, nil
 }
+
+// validateEnterpriseConfig is a function to validate the enterprise specific
+// configuration items after Parsing but before merging into the overall
+// configuration. The original intent is to use it to ensure that we warn
+// for enterprise configurations used in OSS.
+func (b *Builder) validateEnterpriseConfigKeys(config *Config, keys []string) error {
+	var err error
+
+	for _, k := range keys {
+		if unset, ok := enterpriseConfigMap[k]; ok {
+			keyErr := enterpriseConfigKeyError{key: k}
+
+			b.warn(keyErr.Error())
+			err = multierror.Append(err, keyErr)
+			unset(config)
+		}
+	}
+
+	return err
+}
diff --git a/agent/config/builder_oss_test.go b/agent/config/builder_oss_test.go
@@ -0,0 +1,159 @@
+// +build !consulent
+
+package config
+
+import (
+	"testing"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuilder_validateEnterpriseConfigKeys(t *testing.T) {
+	// ensure that all the enterprise configurations
+	type testCase struct {
+		config  Config
+		keys    []string
+		badKeys []string
+		check   func(t *testing.T, c *Config)
+	}
+
+	boolVal := true
+	stringVal := "string"
+
+	cases := map[string]testCase{
+		"non_voting_server": {
+			config: Config{
+				NonVotingServer: &boolVal,
+			},
+			keys:    []string{"non_voting_server"},
+			badKeys: []string{"non_voting_server"},
+		},
+		"segment": {
+			config: Config{
+				SegmentName: &stringVal,
+			},
+			keys:    []string{"segment"},
+			badKeys: []string{"segment"},
+		},
+		"segments": {
+			config: Config{
+				Segments: []Segment{
+					{Name: &stringVal},
+				},
+			},
+			keys:    []string{"segments"},
+			badKeys: []string{"segments"},
+		},
+		"autopilot.redundancy_zone_tag": {
+			config: Config{
+				Autopilot: Autopilot{
+					RedundancyZoneTag: &stringVal,
+				},
+			},
+			keys:    []string{"autopilot.redundancy_zone_tag"},
+			badKeys: []string{"autopilot.redundancy_zone_tag"},
+		},
+		"autopilot.upgrade_version_tag": {
+			config: Config{
+				Autopilot: Autopilot{
+					UpgradeVersionTag: &stringVal,
+				},
+			},
+			keys:    []string{"autopilot.upgrade_version_tag"},
+			badKeys: []string{"autopilot.upgrade_version_tag"},
+		},
+		"autopilot.disable_upgrade_migration": {
+			config: Config{
+				Autopilot: Autopilot{
+					DisableUpgradeMigration: &boolVal,
+				},
+			},
+			keys:    []string{"autopilot.disable_upgrade_migration"},
+			badKeys: []string{"autopilot.disable_upgrade_migration"},
+		},
+		"dns_config.prefer_namespace": {
+			config: Config{
+				DNS: DNS{
+					PreferNamespace: &boolVal,
+				},
+			},
+			keys:    []string{"dns_config.prefer_namespace"},
+			badKeys: []string{"dns_config.prefer_namespace"},
+			check: func(t *testing.T, c *Config) {
+				require.Nil(t, c.DNS.PreferNamespace)
+			},
+		},
+		"acl.msp_disable_bootstrap": {
+			config: Config{
+				ACL: ACL{
+					MSPDisableBootstrap: &boolVal,
+				},
+			},
+			keys:    []string{"acl.msp_disable_bootstrap"},
+			badKeys: []string{"acl.msp_disable_bootstrap"},
+			check: func(t *testing.T, c *Config) {
+				require.Nil(t, c.ACL.MSPDisableBootstrap)
+			},
+		},
+		"acl.tokens.managed_service_provider": {
+			config: Config{
+				ACL: ACL{
+					Tokens: Tokens{
+						ManagedServiceProvider: []ServiceProviderToken{
+							{
+								AccessorID: &stringVal,
+								SecretID:   &stringVal,
+							},
+						},
+					},
+				},
+			},
+			keys:    []string{"acl.tokens.managed_service_provider"},
+			badKeys: []string{"acl.tokens.managed_service_provider"},
+			check: func(t *testing.T, c *Config) {
+				require.Empty(t, c.ACL.Tokens.ManagedServiceProvider)
+				require.Nil(t, c.ACL.Tokens.ManagedServiceProvider)
+			},
+		},
+		"multi": {
+			config: Config{
+				NonVotingServer: &boolVal,
+				SegmentName:     &stringVal,
+			},
+			keys:    []string{"non_voting_server", "segment", "acl.tokens.agent_master"},
+			badKeys: []string{"non_voting_server", "segment"},
+		},
+	}
+
+	for name, tcase := range cases {
+		t.Run(name, func(t *testing.T) {
+			b := &Builder{}
+
+			err := b.validateEnterpriseConfigKeys(&tcase.config, tcase.keys)
+			if len(tcase.badKeys) > 0 {
+				require.Error(t, err)
+
+				multiErr, ok := err.(*multierror.Error)
+				require.True(t, ok)
+
+				var badKeys []string
+				for _, e := range multiErr.Errors {
+					if keyErr, ok := e.(enterpriseConfigKeyError); ok {
+						badKeys = append(badKeys, keyErr.key)
+						require.Contains(t, b.Warnings, keyErr.Error())
+					}
+				}
+
+				require.ElementsMatch(t, tcase.badKeys, badKeys)
+
+				if tcase.check != nil {
+					tcase.check(t, &tcase.config)
+				}
+
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}