Agent Auto Configuration: Client First Time Auto Configuration #8086
Conversation
mkeeler
changed the title
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
2 times, most recently
from
3ad5cff to
488aee1
Compare
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
2 times, most recently
from
00490d7 to
94d93ad
Compare
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
2 times, most recently
from
a6e21a5 to
303391e
Compare
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
7 times, most recently
from
edbbd45 to
378bf66
Compare
agent/acl.go
Outdated
| @@ -187,23 +187,23 @@ func (a *Agent) vetCheckRegisterWithAuthorizer(authz acl.Authorizer, check *stru | |||
| // Vet the check itself. | |||
| if len(check.ServiceName) > 0 { | |||
| if authz.ServiceWrite(check.ServiceName, &authzContext) != acl.Allow { | |||
| return acl.ErrPermissionDenied | |||
| return acl.PermissionDenied("Missing service:write on %s", check.CompoundServiceID()) | |||
There was a problem hiding this comment.
I added these in while debugging some issues but figured I would leave them as we want permission denied errors like this anyways.
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
2 times, most recently
from
ab38fed to
bdf2dbb
Compare
| @@ -258,7 +265,7 @@ var ( | |||
| nodeRWSecret: { | |||
| token: structs.ACLToken{ | |||
| AccessorID: "efb6b7d5-d343-47c1-b4cb-aa6b94d2f490", | |||
| SecretID: nodeROSecret, | |||
| SecretID: nodeRWSecret, | |||
There was a problem hiding this comment.
Fixed a previous typo although it doesn't matter in the tests as the secret was already used to lookup the token.
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
2 times, most recently
from
6253b0e to
cd0b45f
Compare
| @@ -247,8 +253,6 @@ type Agent struct { | |||
| eventLock sync.RWMutex | |||
| eventNotify NotifyGroup | |||
|
|
|||
| reloadCh chan chan error | |||
There was a problem hiding this comment.
The reloadCh was previously used for the odd interaction between the cli command and the Agent itself. To do an API triggered reload before required the agent endpoint code pushing a chan into this chan and then waiting to hear back that the reload was completed. The cli command was responsible for processing that chan.
Now reloads happen a little differently since the Agent itself is responsible for parsing configuration (or rather the autoconf package). Now the cli command will process a SIGHUP and just call ReloadConfig on the Agent. The HTTP endpoint will do similarly and there is no need for the channel.
| @@ -313,22 +317,103 @@ type Agent struct { | |||
| // IP. | |||
| httpConnLimiter connlimit.Limiter | |||
|
|
|||
| // Connection Pool | |||
| connPool *pool.ConnPool | |||
There was a problem hiding this comment.
The Agent code now needs to make insecure RPCs to servers for autoconfig so the shared connection pool has been moved up a level into the Agent and we pass it down into the Server/Client
| if err := a.CheckSecurity(newCfg); err != nil { | ||
| a.logger.Error("Security error while reloading configuration: %#v", err) | ||
| return err | ||
| } | ||
|
|
||
| // Change the log level and update it | ||
| if logging.ValidateLogLevel(newCfg.LogLevel) { |
There was a problem hiding this comment.
Moved from the cli commands processing of the configuration to update the loggers level.
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
from
cd0b45f to
93c5261
Compare
| @@ -916,6 +916,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) { | |||
| ConnectMeshGatewayWANFederationEnabled: connectMeshGatewayWANFederationEnabled, | |||
| ConnectSidecarMinPort: sidecarMinPort, | |||
| ConnectSidecarMaxPort: sidecarMaxPort, | |||
| ConnectTestCALeafRootChangeSpread: b.durationVal("connect.test_ca_leaf_root_change_spread", c.Connect.TestCALeafRootChangeSpread), | |||
There was a problem hiding this comment.
Put into the Config and map into the RuntimeConfig to simplify how test overrides are done. We now just inject a source after the tail that can include this value along with other things such as the check_reap_interval
| @@ -466,7 +466,11 @@ func (p *ConnPool) getNewConn(dc string, nodeName string, addr net.Addr) (*Conn, | |||
| conf.LogOutput = p.LogOutput | |||
|
|
|||
| // Create a multiplexed session | |||
| session, _ := yamux.Client(conn, conf) | |||
| session, err := yamux.Client(conn, conf) | |||
| if err != nil { | |||
There was a problem hiding this comment.
At one point I experienced a segfault here. I fixed why it could occur but thought it best to leave the error checking in.
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
2 times, most recently
from
ef01a47 to
2bef1b5
Compare
mkeeler
force-pushed
the
feature/auto-config/server-rpc
branch
2 times, most recently
from
39d5bfa to
9f4401f
Compare
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
from
2bef1b5 to
81a895b
Compare
mkeeler
force-pushed
the
feature/auto-config/server-rpc
branch
from
9f4401f to
9b01f94
Compare
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
2 times, most recently
from
afb178e to
e67d9fd
Compare
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
from
e67d9fd to
5d669c0
Compare
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
2 times, most recently
from
ee0a02c to
f9356d0
Compare
This is needed so that we can make an AutoConfig RPC at the Agent level prior to creating the Client/Server.
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
from
f9356d0 to
9fe7bcb
Compare
There are a couple of things in here. First, just like auto encrypt, any Cluster.AutoConfig RPC will implicitly use the less secure RPC mechanism. This drastically modifies how the Consul Agent starts up and moves most of the responsibilities (other than signal handling) from the cli command and into the Agent.
mkeeler
force-pushed
the
feature/auto-config/client-config-inject
branch
from
9fe7bcb to
3dbbd2d
Compare
| logGate.Flush() | ||
| return 1 | ||
| } | ||
|
|
||
| // Create the agent | ||
| cli.output("Starting Consul agent...") |
There was a problem hiding this comment.
This log output should go above agent.New
There was a problem hiding this comment.
It cannot go there any longer.
Before the cli code here parsed the config so it already knew prior to creating the agent whether it was doing JSON logging or not. Now it doesn't know that until after agent.New and we still want to prevent unstructured logs from being emitted when configured to do JSON logging.
There was a problem hiding this comment.
However the output was misleading before. It had nothing to do with starting the agent but rather building an object and it would call agent.Start() later on.
|
🍒✅ Cherry pick of commit abce1f0 onto |
This PR is a rather large change to how we go about starting up an agent. Previously a lot of the logic was built into the CLI command but most of that was moved into the Agent itself.
Most of the necessary changes in this PR are fallout from test expectations about how we can force new configuration into the Agent. Functionally all the real code changes are in agent/agent.go command/agent/agent.go and agent/auto-config/auto_config.go
TODOS:
verify_incoming(Will be in a future PR)Right now if you try to set verify incoming prior to having certs it doesn't work even though eventually the agent will get certs and serve out HTTPs