config

package
v1.4.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 1, 2023 License: MPL-2.0 Imports: 19 Imported by: 424

README

Overview

nomad/structs/config is a package for configuration structs that are shared among packages that needs the same struct definitions, but can't import each other without creating a cyle. This config package must be terminal in the import graph (or very close to terminal in the dependency graph).

Documentation

Index

Constants

View Source
const (
	// DefaultVaultConnectRetryIntv is the retry interval between trying to
	// connect to Vault
	DefaultVaultConnectRetryIntv = 30 * time.Second
)
View Source
const (
	// LimitsNonStreamingConnsPerClient is the number of connections per
	// peer to reserve for non-streaming RPC connections. Since streaming
	// RPCs require their own TCP connection, they have their own limit
	// this amount lower than the overall limit. This reserves a number of
	// connections for Raft and other RPCs.
	//
	// TODO Remove limit once MultiplexV2 is used.
	LimitsNonStreamingConnsPerClient = 20
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ArtifactConfig added in v1.1.14

type ArtifactConfig struct {
	// HTTPReadTimeout is the duration in which a download must complete or
	// it will be canceled. Defaults to 30m.
	HTTPReadTimeout *string `hcl:"http_read_timeout"`

	// HTTPMaxSize is the maximum size of an artifact that will be downloaded.
	// Defaults to 100GB.
	HTTPMaxSize *string `hcl:"http_max_size"`

	// GCSTimeout is the duration in which a GCS operation must complete or
	// it will be canceled. Defaults to 30m.
	GCSTimeout *string `hcl:"gcs_timeout"`

	// GitTimeout is the duration in which a git operation must complete or
	// it will be canceled. Defaults to 30m.
	GitTimeout *string `hcl:"git_timeout"`

	// HgTimeout is the duration in which an hg operation must complete or
	// it will be canceled. Defaults to 30m.
	HgTimeout *string `hcl:"hg_timeout"`

	// S3Timeout is the duration in which an S3 operation must complete or
	// it will be canceled. Defaults to 30m.
	S3Timeout *string `hcl:"s3_timeout"`

	// DecompressionSizeLimit is the maximum amount of data that will be
	// decompressed before triggering an error and cancelling the operation.
	//
	// Default is unset, meaning no limit is applied.
	DecompressionSizeLimit *string `hcl:"decompression_size_limit"`

	// DecompressionFileCountLimit is the maximum number of files that will
	// be decompressed before triggering an error and cancelling the operation.
	//
	// Default is unset, meaning no limit is applied.
	DecompressionFileCountLimit *int `hcl:"decompression_file_count_limit"`
}

ArtifactConfig is the configuration specific to the Artifact block

func DefaultArtifactConfig added in v1.1.14

func DefaultArtifactConfig() *ArtifactConfig

func (*ArtifactConfig) Copy added in v1.1.14

func (a *ArtifactConfig) Copy() *ArtifactConfig

func (*ArtifactConfig) Merge added in v1.1.14

func (*ArtifactConfig) Validate added in v1.1.14

func (a *ArtifactConfig) Validate() error

type AuditConfig added in v0.11.0

type AuditConfig struct {
	// Enabled controls the Audit Logging mode
	Enabled *bool `hcl:"enabled"`

	// Sinks configure output sinks for audit logs
	Sinks []*AuditSink `hcl:"sink"`

	// Filters configure audit event filters to filter out certain eevents
	// from being written to a sink.
	Filters []*AuditFilter `hcl:"filter"`

	// ExtraKeysHCL is used by hcl to surface unexpected keys
	ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"`
}

AuditConfig is the configuration specific to Audit Logging

func (*AuditConfig) Copy added in v0.11.0

func (a *AuditConfig) Copy() *AuditConfig

Copy returns a new copy of an AuditConfig

func (*AuditConfig) Merge added in v0.11.0

func (a *AuditConfig) Merge(b *AuditConfig) *AuditConfig

Merge is used to merge two Audit Configs together. Settings from the input take precedence.

type AuditFilter added in v0.11.0

type AuditFilter struct {
	// Name is a unique name given to the filter
	Name string `hcl:",key"`

	// Type of auditing event to filter, such as HTTPEvent
	Type string `hcl:"type"`

	// Endpoints is the list of endpoints to include in the filter
	Endpoints []string `hcl:"endpoints"`

	// State is the auditing request lifecycle stage to filter
	Stages []string `hcl:"stages"`

	// Operations is the type of operation to filter, such as GET, DELETE
	Operations []string `hcl:"operations"`
}

AuditFilter is the configuration for a Audit Log Filter

func (*AuditFilter) Copy added in v0.11.0

func (a *AuditFilter) Copy() *AuditFilter

type AuditSink added in v0.11.0

type AuditSink struct {
	// Name is a unique name given to the filter
	Name string `hcl:",key"`

	// DeliveryGuarantee is the level at which delivery of logs must
	// be met in order to successfully make requests
	DeliveryGuarantee string `hcl:"delivery_guarantee"`

	// Type is the sink type to configure. (file)
	Type string `hcl:"type"`

	// Format is the sink output format. (json)
	Format string `hcl:"format"`

	// FileName is the name that the audit log should follow.
	// If rotation is enabled the pattern will be name-timestamp.log
	Path string `hcl:"path"`

	// RotateDuration is the time period that logs should be rotated in
	RotateDuration    time.Duration
	RotateDurationHCL string `hcl:"rotate_duration" json:"-"`

	// RotateBytes is the max number of bytes that should be written to a file
	RotateBytes int `hcl:"rotate_bytes"`

	// RotateMaxFiles is the max number of log files to keep
	RotateMaxFiles int `hcl:"rotate_max_files"`

	// Mode is the octal formatted permissions for the audit log files.
	Mode string `hcl:"mode"`
}

func (*AuditSink) Copy added in v0.11.0

func (a *AuditSink) Copy() *AuditSink

type AutopilotConfig added in v0.8.0

type AutopilotConfig struct {
	// CleanupDeadServers controls whether to remove dead servers when a new
	// server is added to the Raft peers.
	CleanupDeadServers *bool `hcl:"cleanup_dead_servers"`

	// ServerStabilizationTime is the minimum amount of time a server must be
	// in a stable, healthy state before it can be added to the cluster. Only
	// applicable with Raft protocol version 3 or higher.
	ServerStabilizationTime    time.Duration
	ServerStabilizationTimeHCL string `hcl:"server_stabilization_time" json:"-"`

	// LastContactThreshold is the limit on the amount of time a server can go
	// without leader contact before being considered unhealthy.
	LastContactThreshold    time.Duration
	LastContactThresholdHCL string `hcl:"last_contact_threshold" json:"-"`

	// MaxTrailingLogs is the amount of entries in the Raft Log that a server can
	// be behind before being considered unhealthy.
	MaxTrailingLogs int `hcl:"max_trailing_logs"`

	// MinQuorum sets the minimum number of servers required in a cluster
	// before autopilot can prune dead servers.
	MinQuorum int `hcl:"min_quorum"`

	// (Enterprise-only) EnableRedundancyZones specifies whether to enable redundancy zones.
	EnableRedundancyZones *bool `hcl:"enable_redundancy_zones"`

	// (Enterprise-only) DisableUpgradeMigration will disable Autopilot's upgrade migration
	// strategy of waiting until enough newer-versioned servers have been added to the
	// cluster before promoting them to voters.
	DisableUpgradeMigration *bool `hcl:"disable_upgrade_migration"`

	// (Enterprise-only) EnableCustomUpgrades specifies whether to enable using custom
	// upgrade versions when performing migrations.
	EnableCustomUpgrades *bool `hcl:"enable_custom_upgrades"`

	// ExtraKeysHCL is used by hcl to surface unexpected keys
	ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"`
}

func DefaultAutopilotConfig added in v0.8.0

func DefaultAutopilotConfig() *AutopilotConfig

DefaultAutopilotConfig returns the canonical defaults for the Nomad `autopilot` configuration.

func (*AutopilotConfig) Copy added in v0.8.0

func (a *AutopilotConfig) Copy() *AutopilotConfig

Copy returns a copy of this Autopilot config.

func (*AutopilotConfig) Merge added in v0.8.0

type ConsulConfig

type ConsulConfig struct {
	// ServerServiceName is the name of the service that Nomad uses to register
	// servers with Consul
	ServerServiceName string `hcl:"server_service_name"`

	// ServerHTTPCheckName is the name of the health check that Nomad uses
	// to register the server HTTP health check with Consul
	ServerHTTPCheckName string `hcl:"server_http_check_name"`

	// ServerSerfCheckName is the name of the health check that Nomad uses
	// to register the server Serf health check with Consul
	ServerSerfCheckName string `hcl:"server_serf_check_name"`

	// ServerRPCCheckName is the name of the health check that Nomad uses
	// to register the server RPC health check with Consul
	ServerRPCCheckName string `hcl:"server_rpc_check_name"`

	// ClientServiceName is the name of the service that Nomad uses to register
	// clients with Consul
	ClientServiceName string `hcl:"client_service_name"`

	// ClientHTTPCheckName is the name of the health check that Nomad uses
	// to register the client HTTP health check with Consul
	ClientHTTPCheckName string `hcl:"client_http_check_name"`

	// Tags are optional service tags that get registered with the service
	// in Consul
	Tags []string `hcl:"tags"`

	// AutoAdvertise determines if this Nomad Agent will advertise its
	// services via Consul.  When true, Nomad Agent will register
	// services with Consul.
	AutoAdvertise *bool `hcl:"auto_advertise"`

	// ChecksUseAdvertise specifies that Consul checks should use advertise
	// address instead of bind address
	ChecksUseAdvertise *bool `hcl:"checks_use_advertise"`

	// Addr is the HTTP endpoint address of the local Consul agent
	//
	// Uses Consul's default and env var.
	Addr string `hcl:"address"`

	// GRPCAddr is the gRPC endpoint address of the local Consul agent
	GRPCAddr string `hcl:"grpc_address"`

	// Timeout is used by Consul HTTP Client
	Timeout    time.Duration `hcl:"-"`
	TimeoutHCL string        `hcl:"timeout" json:"-"`

	// Token is used to provide a per-request ACL token. This options overrides
	// the agent's default token
	Token string `hcl:"token"`

	// AllowUnauthenticated allows users to submit jobs requiring Consul
	// Service Identity tokens without providing a Consul token proving they
	// have access to such policies.
	AllowUnauthenticated *bool `hcl:"allow_unauthenticated"`

	// Auth is the information to use for http access to Consul agent
	Auth string `hcl:"auth"`

	// EnableSSL sets the transport scheme to talk to the Consul agent as https
	//
	// Uses Consul's default and env var.
	EnableSSL *bool `hcl:"ssl"`

	// ShareSSL enables Consul Connect Native applications to use the TLS
	// configuration of the Nomad Client for establishing connections to Consul.
	//
	// Does not include sharing of ACL tokens.
	ShareSSL *bool `hcl:"share_ssl"`

	// VerifySSL enables or disables SSL verification when the transport scheme
	// for the consul api client is https
	//
	// Uses Consul's default and env var.
	VerifySSL *bool `hcl:"verify_ssl"`

	// GRPCCAFile is the path to the ca certificate used for Consul gRPC communication.
	//
	// Uses Consul's default and env var.
	GRPCCAFile string `hcl:"grpc_ca_file"`

	// CAFile is the path to the ca certificate used for Consul communication.
	//
	// Uses Consul's default and env var.
	CAFile string `hcl:"ca_file"`

	// CertFile is the path to the certificate for Consul communication
	CertFile string `hcl:"cert_file"`

	// KeyFile is the path to the private key for Consul communication
	KeyFile string `hcl:"key_file"`

	// ServerAutoJoin enables Nomad servers to find peers by querying Consul and
	// joining them
	ServerAutoJoin *bool `hcl:"server_auto_join"`

	// ClientAutoJoin enables Nomad servers to find addresses of Nomad servers
	// and register with them
	ClientAutoJoin *bool `hcl:"client_auto_join"`

	// ExtraKeysHCL is used by hcl to surface unexpected keys
	ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"`

	// Namespace sets the Consul namespace used for all calls against the
	// Consul API. If this is unset, then Nomad does not specify a consul namespace.
	Namespace string `hcl:"namespace"`
}

ConsulConfig contains the configuration information necessary to communicate with a Consul Agent in order to:

- Register services and their checks with Consul

  • Bootstrap this Nomad Client with the list of Nomad Servers registered with Consul

  • Establish how this Nomad Client will resolve Envoy Connect Sidecar images.

Both the Agent and the executor need to be able to import ConsulConfig.

func DefaultConsulConfig

func DefaultConsulConfig() *ConsulConfig

DefaultConsulConfig returns the canonical defaults for the Nomad `consul` configuration. Uses Consul's default configuration which reads environment variables.

func (*ConsulConfig) AllowsUnauthenticated added in v0.10.4

func (c *ConsulConfig) AllowsUnauthenticated() bool

AllowsUnauthenticated returns whether the config allows unauthenticated creation of Consul Service Identity tokens for Consul Connect enabled Tasks.

If allow_unauthenticated is false, the operator must provide a token on job submission (i.e. -consul-token or $CONSUL_HTTP_TOKEN).

func (*ConsulConfig) ApiConfig

func (c *ConsulConfig) ApiConfig() (*consul.Config, error)

ApiConfig returns a usable Consul config that can be passed directly to hashicorp/consul/api. NOTE: datacenter is not set

func (*ConsulConfig) Copy added in v0.5.0

func (c *ConsulConfig) Copy() *ConsulConfig

Copy returns a copy of this Consul config.

func (*ConsulConfig) Merge

func (c *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig

Merge merges two Consul Configurations together.

type ConsulUIConfig added in v1.2.4

type ConsulUIConfig struct {

	// BaseUIURL provides the full base URL to the UI, ex:
	// https://consul.example.com:8500/ui/
	BaseUIURL string `hcl:"ui_url"`
}

ConsulUIConfig configures deep links to this cluster's Consul

func (*ConsulUIConfig) Copy added in v1.2.4

func (old *ConsulUIConfig) Copy() *ConsulUIConfig

Copy returns a copy of this Consul UI config.

func (*ConsulUIConfig) Merge added in v1.2.4

func (old *ConsulUIConfig) Merge(other *ConsulUIConfig) *ConsulUIConfig

Merge returns a new Consul UI configuration by merging another Consul UI configuration into this one

type KeyLoader added in v0.7.1

type KeyLoader struct {
	// contains filtered or unexported fields
}

func (*KeyLoader) GetCertificate added in v0.9.0

func (k *KeyLoader) GetCertificate() *tls.Certificate

func (*KeyLoader) GetClientCertificate added in v0.7.1

func (k *KeyLoader) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate fetches the currently-loaded certificate when the Server requests a certificate from the caller. This currently does not consider information in the ClientHello and only returns the certificate that was last loaded.

func (*KeyLoader) GetOutgoingCertificate added in v0.7.1

func (k *KeyLoader) GetOutgoingCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)

GetOutgoingCertificate fetches the currently-loaded certificate when accepting a TLS connection. This currently does not consider information in the ClientHello and only returns the certificate that was last loaded.

func (*KeyLoader) LoadKeyPair added in v0.7.1

func (k *KeyLoader) LoadKeyPair(certFile, keyFile string) (*tls.Certificate, error)

LoadKeyPair reloads the TLS certificate based on the specified certificate and key file. If successful, stores the certificate for further use.

type Limits added in v0.10.3

type Limits struct {
	// HTTPSHandshakeTimeout is the deadline by which HTTPS TLS handshakes
	// must complete.
	//
	// 0 means no timeout.
	HTTPSHandshakeTimeout string `hcl:"https_handshake_timeout"`

	// HTTPMaxConnsPerClient is the maximum number of concurrent HTTP
	// connections from a single IP address. nil/0 means no limit.
	HTTPMaxConnsPerClient *int `hcl:"http_max_conns_per_client"`

	// RPCHandshakeTimeout is the deadline by which RPC handshakes must
	// complete. The RPC handshake includes the first byte read as well as
	// the TLS handshake and subsequent byte read if TLS is enabled.
	//
	// The deadline is reset after the first byte is read so when TLS is
	// enabled RPC connections may take (timeout * 2) to complete.
	//
	// The RPC handshake timeout only applies to servers. 0 means no
	// timeout.
	RPCHandshakeTimeout string `hcl:"rpc_handshake_timeout"`

	// RPCMaxConnsPerClient is the maximum number of concurrent RPC
	// connections from a single IP address. nil/0 means no limit.
	RPCMaxConnsPerClient *int `hcl:"rpc_max_conns_per_client"`
}

Limits configures timeout limits similar to Consul's limits configuration parameters. Limits is the internal version with the fields parsed.

func DefaultLimits added in v0.10.3

func DefaultLimits() Limits

DefaultLimits returns the default limits values. User settings should be merged into these defaults.

func (*Limits) Copy added in v0.10.3

func (l *Limits) Copy() Limits

Copy returns a new deep copy of a Limits struct.

func (*Limits) Merge added in v0.10.3

func (l *Limits) Merge(o Limits) Limits

Merge returns a new Limits where non-empty/nil fields in the argument have precedence.

type PluginConfig added in v0.9.0

type PluginConfig struct {
	Name   string                 `hcl:",key"`
	Args   []string               `hcl:"args"`
	Config map[string]interface{} `hcl:"config"`
	// ExtraKeysHCL is used by hcl to surface unexpected keys
	ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"`
}

PluginConfig is used to configure a plugin explicitly

func PluginConfigSetMerge added in v0.9.0

func PluginConfigSetMerge(first, second []*PluginConfig) []*PluginConfig

PluginConfigSetMerge merges to sets of plugin configs. For plugins with the same name, the configs are merged.

func (*PluginConfig) Copy added in v0.9.0

func (p *PluginConfig) Copy() *PluginConfig

func (*PluginConfig) Merge added in v0.9.0

func (p *PluginConfig) Merge(o *PluginConfig) *PluginConfig

type SentinelConfig added in v0.7.0

type SentinelConfig struct {
	// Imports are the configured imports
	Imports []*SentinelImport `hcl:"import,expand"`
}

SentinelConfig is configuration specific to Sentinel

func (*SentinelConfig) Copy added in v1.2.13

func (s *SentinelConfig) Copy() *SentinelConfig

func (*SentinelConfig) Merge added in v0.7.0

Merge is used to merge two Sentinel configs together. The settings from the input always take precedence.

type SentinelImport added in v0.7.0

type SentinelImport struct {
	Name string   `hcl:",key"`
	Path string   `hcl:"path"`
	Args []string `hcl:"args"`
}

SentinelImport is used per configured import

func (*SentinelImport) Copy added in v1.2.13

func (s *SentinelImport) Copy() *SentinelImport

type TLSConfig added in v0.5.0

type TLSConfig struct {

	// EnableHTTP enabled TLS for http traffic to the Nomad server and clients
	EnableHTTP bool `hcl:"http"`

	// EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers
	EnableRPC bool `hcl:"rpc"`

	// VerifyServerHostname is used to enable hostname verification of servers. This
	// ensures that the certificate presented is valid for server.<region>.nomad
	// This prevents a compromised client from being restarted as a server, and then
	// intercepting request traffic as well as being added as a raft peer. This should be
	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
	// existing clients.
	VerifyServerHostname bool `hcl:"verify_server_hostname"`

	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
	// or VerifyOutgoing to verify the TLS connection.
	CAFile string `hcl:"ca_file"`

	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
	// Must be provided to serve TLS connections.
	CertFile string `hcl:"cert_file"`

	// KeyLoader is a helper to dynamically reload TLS configuration
	KeyLoader *KeyLoader

	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
	// Must be provided to serve TLS connections.
	KeyFile string `hcl:"key_file"`

	// RPCUpgradeMode should be enabled when a cluster is being upgraded
	// to TLS. Allows servers to accept both plaintext and TLS connections and
	// should only be a temporary state.
	RPCUpgradeMode bool `hcl:"rpc_upgrade_mode"`

	// Verify connections to the HTTPS API
	VerifyHTTPSClient bool `hcl:"verify_https_client"`

	// Checksum is a MD5 hash of the certificate CA File, Certificate file, and
	// key file.
	Checksum string

	// TLSCipherSuites are operator-defined ciphers to be used in Nomad TLS
	// connections
	TLSCipherSuites string `hcl:"tls_cipher_suites"`

	// TLSMinVersion is used to set the minimum TLS version used for TLS
	// connections. Should be either "tls10", "tls11", or "tls12".
	TLSMinVersion string `hcl:"tls_min_version"`

	// TLSPreferServerCipherSuites controls whether the server selects the
	// client's most preferred ciphersuite, or the server's most preferred
	// ciphersuite. If true then the server's preference, as expressed in
	// the order of elements in CipherSuites, is used.
	TLSPreferServerCipherSuites bool `hcl:"tls_prefer_server_cipher_suites"`

	// ExtraKeysHCL is used by hcl to surface unexpected keys
	ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"`
	// contains filtered or unexported fields
}

TLSConfig provides TLS related configuration

func (*TLSConfig) CertificateInfoIsEqual added in v0.8.0

func (t *TLSConfig) CertificateInfoIsEqual(newConfig *TLSConfig) (bool, error)

CertificateInfoIsEqual compares the fields of two TLS configuration objects for the fields that are specific to configuring a TLS connection It is possible for either the calling TLSConfig to be nil, or the TLSConfig that it is being compared against, so we need to handle both places. See server.go Reload for example.

func (*TLSConfig) Copy added in v0.7.1

func (t *TLSConfig) Copy() *TLSConfig

Copy copies the fields of TLSConfig to another TLSConfig object. Required as to not copy mutexes between objects.

func (*TLSConfig) GetKeyLoader added in v0.7.1

func (t *TLSConfig) GetKeyLoader() *KeyLoader

GetKeyLoader returns the keyloader for a TLSConfig object. If the keyloader has not been initialized, it will first do so.

func (*TLSConfig) IsEmpty added in v0.8.0

func (t *TLSConfig) IsEmpty() bool

func (*TLSConfig) Merge added in v0.5.0

func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig

Merge is used to merge two TLS configs together

func (*TLSConfig) SetChecksum added in v0.8.0

func (t *TLSConfig) SetChecksum() error

SetChecksum generates and sets the checksum for a TLS configuration

type UIConfig added in v1.2.4

type UIConfig struct {

	// Enabled is used to enable the web UI
	Enabled bool `hcl:"enabled"`

	// Consul configures deep links for Consul UI
	Consul *ConsulUIConfig `hcl:"consul"`

	// Vault configures deep links for Vault UI
	Vault *VaultUIConfig `hcl:"vault"`
}

UIConfig contains the operator configuration of the web UI Note: before extending this configuration, consider reviewing NMD-125

func DefaultUIConfig added in v1.2.4

func DefaultUIConfig() *UIConfig

DefaultUIConfig returns the canonical defaults for the Nomad `ui` configuration.

func (*UIConfig) Copy added in v1.2.4

func (old *UIConfig) Copy() *UIConfig

Copy returns a copy of this UI config.

func (*UIConfig) Merge added in v1.2.4

func (old *UIConfig) Merge(other *UIConfig) *UIConfig

Merge returns a new UI configuration by merging another UI configuration into this one

type VaultConfig added in v0.5.0

type VaultConfig struct {

	// Enabled enables or disables Vault support.
	Enabled *bool `hcl:"enabled"`

	// Token is the Vault token given to Nomad such that it can
	// derive child tokens. Nomad will renew this token at half its lease
	// lifetime.
	Token string `hcl:"token"`

	// Role sets the role in which to create tokens from. The Token given to
	// Nomad does not have to be created from this role but must have "update"
	// capability on "auth/token/create/<create_from_role>". If this value is
	// unset and the token is created from a role, the value is defaulted to the
	// role the token is from.
	Role string `hcl:"create_from_role"`

	// Namespace sets the Vault namespace used for all calls against the
	// Vault API. If this is unset, then Nomad does not use Vault namespaces.
	Namespace string `mapstructure:"namespace"`

	// AllowUnauthenticated allows users to submit jobs requiring Vault tokens
	// without providing a Vault token proving they have access to these
	// policies.
	AllowUnauthenticated *bool `hcl:"allow_unauthenticated"`

	// TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used
	// by the client.  There should be a minimum time value such that the client
	// does not have to renew with Vault at a very high frequency
	TaskTokenTTL string `hcl:"task_token_ttl"`

	// Addr is the address of the local Vault agent. This should be a complete
	// URL such as "http://vault.example.com"
	Addr string `hcl:"address"`

	// ConnectionRetryIntv is the interval to wait before re-attempting to
	// connect to Vault.
	ConnectionRetryIntv time.Duration

	// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
	// Vault server SSL certificate.
	TLSCaFile string `hcl:"ca_file"`

	// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
	// verify the Vault server SSL certificate.
	TLSCaPath string `hcl:"ca_path"`

	// TLSCertFile is the path to the certificate for Vault communication
	TLSCertFile string `hcl:"cert_file"`

	// TLSKeyFile is the path to the private key for Vault communication
	TLSKeyFile string `hcl:"key_file"`

	// TLSSkipVerify enables or disables SSL verification
	TLSSkipVerify *bool `hcl:"tls_skip_verify"`

	// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
	TLSServerName string `hcl:"tls_server_name"`
}

VaultConfig contains the configuration information necessary to communicate with Vault in order to:

- Renew Vault tokens/leases.

- Pass a token for the Nomad Server to derive sub-tokens.

- Create child tokens with policy subsets of the Server's token.

func DefaultVaultConfig added in v0.5.0

func DefaultVaultConfig() *VaultConfig

DefaultVaultConfig returns the canonical defaults for the Nomad `vault` configuration.

func (*VaultConfig) AllowsUnauthenticated added in v0.5.0

func (c *VaultConfig) AllowsUnauthenticated() bool

AllowsUnauthenticated returns whether the config allows unauthenticated access to Vault

func (*VaultConfig) ApiConfig added in v0.5.0

func (c *VaultConfig) ApiConfig() (*vault.Config, error)

ApiConfig returns a usable Vault config that can be passed directly to hashicorp/vault/api.

func (*VaultConfig) Copy added in v0.5.0

func (c *VaultConfig) Copy() *VaultConfig

Copy returns a copy of this Vault config.

func (*VaultConfig) Equal added in v1.2.13

func (c *VaultConfig) Equal(b *VaultConfig) bool

Equal is a rename of Equals.

func (*VaultConfig) Equals added in v1.1.17

func (c *VaultConfig) Equals(b *VaultConfig) bool

Equals compares two Vault configurations and returns a boolean indicating if they are equal.

func (*VaultConfig) IsEnabled added in v0.5.0

func (c *VaultConfig) IsEnabled() bool

IsEnabled returns whether the config enables Vault integration

func (*VaultConfig) Merge added in v0.5.0

func (c *VaultConfig) Merge(b *VaultConfig) *VaultConfig

Merge merges two Vault configurations together.

type VaultUIConfig added in v1.2.4

type VaultUIConfig struct {
	// BaseUIURL provides the full base URL to the UI, ex:
	// https://vault.example.com:8200/ui/
	BaseUIURL string `hcl:"ui_url"`
}

VaultUIConfig configures deep links to this cluster's Vault

func (*VaultUIConfig) Copy added in v1.2.4

func (old *VaultUIConfig) Copy() *VaultUIConfig

Copy returns a copy of this Vault UI config.

func (*VaultUIConfig) Merge added in v1.2.4

func (old *VaultUIConfig) Merge(other *VaultUIConfig) *VaultUIConfig

Merge returns a new Vault UI configuration by merging another Vault UI configuration into this one

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL