Documentation ¶
Index ¶
- Constants
- type ConsulConfig
- type KeyLoader
- func (k *KeyLoader) Copy() *KeyLoader
- func (k *KeyLoader) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)
- func (k *KeyLoader) GetOutgoingCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)
- func (k *KeyLoader) LoadKeyPair(certFile, keyFile string) (*tls.Certificate, error)
- type SentinelConfig
- type SentinelImport
- type TLSConfig
- type VaultConfig
Constants ¶
const ( // DefaultVaultConnectRetryIntv is the retry interval between trying to // connect to Vault DefaultVaultConnectRetryIntv = 30 * time.Second )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ConsulConfig ¶
type ConsulConfig struct { // ServerServiceName is the name of the service that Nomad uses to register // servers with Consul ServerServiceName string `mapstructure:"server_service_name"` // ClientServiceName is the name of the service that Nomad uses to register // clients with Consul ClientServiceName string `mapstructure:"client_service_name"` // AutoAdvertise determines if this Nomad Agent will advertise its // services via Consul. When true, Nomad Agent will register // services with Consul. AutoAdvertise *bool `mapstructure:"auto_advertise"` // ChecksUseAdvertise specifies that Consul checks should use advertise // address instead of bind address ChecksUseAdvertise *bool `mapstructure:"checks_use_advertise"` // Addr is the address of the local Consul agent Addr string `mapstructure:"address"` // Timeout is used by Consul HTTP Client Timeout time.Duration `mapstructure:"timeout"` // Token is used to provide a per-request ACL token. This options overrides // the agent's default token Token string `mapstructure:"token"` // Auth is the information to use for http access to Consul agent Auth string `mapstructure:"auth"` // EnableSSL sets the transport scheme to talk to the Consul agent as https EnableSSL *bool `mapstructure:"ssl"` // VerifySSL enables or disables SSL verification when the transport scheme // for the consul api client is https VerifySSL *bool `mapstructure:"verify_ssl"` // CAFile is the path to the ca certificate used for Consul communication CAFile string `mapstructure:"ca_file"` // CertFile is the path to the certificate for Consul communication CertFile string `mapstructure:"cert_file"` // KeyFile is the path to the private key for Consul communication KeyFile string `mapstructure:"key_file"` // ServerAutoJoin enables Nomad servers to find peers by querying Consul and // joining them ServerAutoJoin *bool `mapstructure:"server_auto_join"` // ClientAutoJoin enables Nomad servers to find addresses of Nomad servers // and register with them ClientAutoJoin *bool `mapstructure:"client_auto_join"` }
ConsulConfig contains the configuration information necessary to communicate with a Consul Agent in order to:
- Register services and their checks with Consul
- Bootstrap this Nomad Client with the list of Nomad Servers registered with Consul
Both the Agent and the executor need to be able to import ConsulConfig.
func DefaultConsulConfig ¶
func DefaultConsulConfig() *ConsulConfig
DefaultConsulConfig() returns the canonical defaults for the Nomad `consul` configuration.
func (*ConsulConfig) ApiConfig ¶
func (c *ConsulConfig) ApiConfig() (*consul.Config, error)
ApiConfig returns a usable Consul config that can be passed directly to hashicorp/consul/api. NOTE: datacenter is not set
func (*ConsulConfig) Copy ¶ added in v0.5.0
func (c *ConsulConfig) Copy() *ConsulConfig
Copy returns a copy of this Consul config.
func (*ConsulConfig) Merge ¶
func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig
Merge merges two Consul Configurations together.
type KeyLoader ¶ added in v0.7.1
type KeyLoader struct {
// contains filtered or unexported fields
}
func (*KeyLoader) GetClientCertificate ¶ added in v0.7.1
func (k *KeyLoader) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)
GetClientCertificate fetches the currently-loaded certificate when the Server requests a certificate from the caller. This currently does not consider information in the ClientHello and only returns the certificate that was last loaded.
func (*KeyLoader) GetOutgoingCertificate ¶ added in v0.7.1
func (k *KeyLoader) GetOutgoingCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)
GetOutgoingCertificate fetches the currently-loaded certificate when accepting a TLS connection. This currently does not consider information in the ClientHello and only returns the certificate that was last loaded.
func (*KeyLoader) LoadKeyPair ¶ added in v0.7.1
func (k *KeyLoader) LoadKeyPair(certFile, keyFile string) (*tls.Certificate, error)
LoadKeyPair reloads the TLS certificate based on the specified certificate and key file. If successful, stores the certificate for further use.
type SentinelConfig ¶ added in v0.7.0
type SentinelConfig struct { // Imports are the configured imports Imports []*SentinelImport `hcl:"import,expand"` }
SentinelConfig is configuration specific to Sentinel
func (*SentinelConfig) Merge ¶ added in v0.7.0
func (a *SentinelConfig) Merge(b *SentinelConfig) *SentinelConfig
Merge is used to merge two Sentinel configs together. The settings from the input always take precedence.
type SentinelImport ¶ added in v0.7.0
type SentinelImport struct { Name string `hcl:",key"` Path string `hcl:"path"` Args []string `hcl:"args"` }
SentinelImport is used per configured import
type TLSConfig ¶ added in v0.5.0
type TLSConfig struct { // EnableHTTP enabled TLS for http traffic to the Nomad server and clients EnableHTTP bool `mapstructure:"http"` // EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers EnableRPC bool `mapstructure:"rpc"` // VerifyServerHostname is used to enable hostname verification of servers. This // ensures that the certificate presented is valid for server.<region>.nomad // This prevents a compromised client from being restarted as a server, and then // intercepting request traffic as well as being added as a raft peer. This should be // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break // existing clients. VerifyServerHostname bool `mapstructure:"verify_server_hostname"` // CAFile is a path to a certificate authority file. This is used with VerifyIncoming // or VerifyOutgoing to verify the TLS connection. CAFile string `mapstructure:"ca_file"` // CertFile is used to provide a TLS certificate that is used for serving TLS connections. // Must be provided to serve TLS connections. CertFile string `mapstructure:"cert_file"` // KeyLoader is a helper to dynamically reload TLS configuration KeyLoader *KeyLoader // KeyFile is used to provide a TLS key that is used for serving TLS connections. // Must be provided to serve TLS connections. KeyFile string `mapstructure:"key_file"` // RPCUpgradeMode should be enabled when a cluster is being upgraded // to TLS. Allows servers to accept both plaintext and TLS connections and // should only be a temporary state. RPCUpgradeMode bool `mapstructure:"rpc_upgrade_mode"` // Verify connections to the HTTPS API VerifyHTTPSClient bool `mapstructure:"verify_https_client"` // contains filtered or unexported fields }
TLSConfig provides TLS related configuration
func (*TLSConfig) Copy ¶ added in v0.7.1
Copy copies the fields of TLSConfig to another TLSConfig object. Required as to not copy mutexes between objects.
func (*TLSConfig) GetKeyLoader ¶ added in v0.7.1
GetKeyLoader returns the keyloader for a TLSConfig object. If the keyloader has not been initialized, it will first do so.
type VaultConfig ¶ added in v0.5.0
type VaultConfig struct { // Enabled enables or disables Vault support. Enabled *bool `mapstructure:"enabled"` // Token is the Vault token given to Nomad such that it can // derive child tokens. Nomad will renew this token at half its lease // lifetime. Token string `mapstructure:"token"` // Role sets the role in which to create tokens from. The Token given to // Nomad does not have to be created from this role but must have "update" // capability on "auth/token/create/<create_from_role>". If this value is // unset and the token is created from a role, the value is defaulted to the // role the token is from. Role string `mapstructure:"create_from_role"` // AllowUnauthenticated allows users to submit jobs requiring Vault tokens // without providing a Vault token proving they have access to these // policies. AllowUnauthenticated *bool `mapstructure:"allow_unauthenticated"` // TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used // by the client. There should be a minimum time value such that the client // does not have to renew with Vault at a very high frequency TaskTokenTTL string `mapstructure:"task_token_ttl"` // Addr is the address of the local Vault agent. This should be a complete // URL such as "http://vault.example.com" Addr string `mapstructure:"address"` // ConnectionRetryIntv is the interval to wait before re-attempting to // connect to Vault. ConnectionRetryIntv time.Duration // TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the // Vault server SSL certificate. TLSCaFile string `mapstructure:"ca_file"` // TLSCaFile is the path to a directory of PEM-encoded CA cert files to // verify the Vault server SSL certificate. TLSCaPath string `mapstructure:"ca_path"` // TLSCertFile is the path to the certificate for Vault communication TLSCertFile string `mapstructure:"cert_file"` // TLSKeyFile is the path to the private key for Vault communication TLSKeyFile string `mapstructure:"key_file"` // TLSSkipVerify enables or disables SSL verification TLSSkipVerify *bool `mapstructure:"tls_skip_verify"` // TLSServerName, if set, is used to set the SNI host when connecting via TLS. TLSServerName string `mapstructure:"tls_server_name"` }
VaultConfig contains the configuration information necessary to communicate with Vault in order to:
- Renew Vault tokens/leases.
- Pass a token for the Nomad Server to derive sub-tokens.
- Create child tokens with policy subsets of the Server's token.
func DefaultVaultConfig ¶ added in v0.5.0
func DefaultVaultConfig() *VaultConfig
DefaultVaultConfig() returns the canonical defaults for the Nomad `vault` configuration.
func (*VaultConfig) AllowsUnauthenticated ¶ added in v0.5.0
func (a *VaultConfig) AllowsUnauthenticated() bool
AllowsUnauthenticated returns whether the config allows unauthenticated access to Vault
func (*VaultConfig) ApiConfig ¶ added in v0.5.0
func (c *VaultConfig) ApiConfig() (*vault.Config, error)
ApiConfig() returns a usable Vault config that can be passed directly to hashicorp/vault/api.
func (*VaultConfig) Copy ¶ added in v0.5.0
func (c *VaultConfig) Copy() *VaultConfig
Copy returns a copy of this Vault config.
func (*VaultConfig) IsEnabled ¶ added in v0.5.0
func (a *VaultConfig) IsEnabled() bool
IsEnabled returns whether the config enables Vault integration
func (*VaultConfig) Merge ¶ added in v0.5.0
func (a *VaultConfig) Merge(b *VaultConfig) *VaultConfig
Merge merges two Vault configurations together.