Documentation ¶
Index ¶
- Constants
- type AutopilotConfig
- type ConsulConfig
- type KeyLoader
- func (k *KeyLoader) Copy() *KeyLoader
- func (k *KeyLoader) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)
- func (k *KeyLoader) GetOutgoingCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)
- func (k *KeyLoader) LoadKeyPair(certFile, keyFile string) (*tls.Certificate, error)
- type SentinelConfig
- type SentinelImport
- type TLSConfig
- type VaultConfig
Constants ¶
const ( // DefaultVaultConnectRetryIntv is the retry interval between trying to // connect to Vault DefaultVaultConnectRetryIntv = 30 * time.Second )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AutopilotConfig ¶
type AutopilotConfig struct { // CleanupDeadServers controls whether to remove dead servers when a new // server is added to the Raft peers. CleanupDeadServers *bool `mapstructure:"cleanup_dead_servers"` // ServerStabilizationTime is the minimum amount of time a server must be // in a stable, healthy state before it can be added to the cluster. Only // applicable with Raft protocol version 3 or higher. ServerStabilizationTime time.Duration `mapstructure:"server_stabilization_time"` // LastContactThreshold is the limit on the amount of time a server can go // without leader contact before being considered unhealthy. LastContactThreshold time.Duration `mapstructure:"last_contact_threshold"` // MaxTrailingLogs is the amount of entries in the Raft Log that a server can // be behind before being considered unhealthy. MaxTrailingLogs int `mapstructure:"max_trailing_logs"` // (Enterprise-only) EnableRedundancyZones specifies whether to enable redundancy zones. EnableRedundancyZones *bool `mapstructure:"enable_redundancy_zones"` // (Enterprise-only) DisableUpgradeMigration will disable Autopilot's upgrade migration // strategy of waiting until enough newer-versioned servers have been added to the // cluster before promoting them to voters. DisableUpgradeMigration *bool `mapstructure:"disable_upgrade_migration"` // (Enterprise-only) EnableCustomUpgrades specifies whether to enable using custom // upgrade versions when performing migrations. EnableCustomUpgrades *bool `mapstructure:"enable_custom_upgrades"` }
func DefaultAutopilotConfig ¶
func DefaultAutopilotConfig() *AutopilotConfig
DefaultAutopilotConfig() returns the canonical defaults for the Nomad `autopilot` configuration.
func (*AutopilotConfig) Copy ¶
func (a *AutopilotConfig) Copy() *AutopilotConfig
Copy returns a copy of this Autopilot config.
func (*AutopilotConfig) Merge ¶
func (a *AutopilotConfig) Merge(b *AutopilotConfig) *AutopilotConfig
type ConsulConfig ¶
type ConsulConfig struct { // ServerServiceName is the name of the service that Nomad uses to register // servers with Consul ServerServiceName string `mapstructure:"server_service_name"` // ServerHTTPCheckName is the name of the health check that Nomad uses // to register the server HTTP health check with Consul ServerHTTPCheckName string `mapstructure:"server_http_check_name"` // ServerSerfCheckName is the name of the health check that Nomad uses // to register the server Serf health check with Consul ServerSerfCheckName string `mapstructure:"server_serf_check_name"` // ServerRPCCheckName is the name of the health check that Nomad uses // to register the server RPC health check with Consul ServerRPCCheckName string `mapstructure:"server_rpc_check_name"` // ClientServiceName is the name of the service that Nomad uses to register // clients with Consul ClientServiceName string `mapstructure:"client_service_name"` // ClientHTTPCheckName is the name of the health check that Nomad uses // to register the client HTTP health check with Consul ClientHTTPCheckName string `mapstructure:"client_http_check_name"` // AutoAdvertise determines if this Nomad Agent will advertise its // services via Consul. When true, Nomad Agent will register // services with Consul. AutoAdvertise *bool `mapstructure:"auto_advertise"` // ChecksUseAdvertise specifies that Consul checks should use advertise // address instead of bind address ChecksUseAdvertise *bool `mapstructure:"checks_use_advertise"` // Addr is the address of the local Consul agent Addr string `mapstructure:"address"` // Timeout is used by Consul HTTP Client Timeout time.Duration `mapstructure:"timeout"` // Token is used to provide a per-request ACL token. This options overrides // the agent's default token Token string `mapstructure:"token"` // Auth is the information to use for http access to Consul agent Auth string `mapstructure:"auth"` // EnableSSL sets the transport scheme to talk to the Consul agent as https EnableSSL *bool `mapstructure:"ssl"` // VerifySSL enables or disables SSL verification when the transport scheme // for the consul api client is https VerifySSL *bool `mapstructure:"verify_ssl"` // CAFile is the path to the ca certificate used for Consul communication CAFile string `mapstructure:"ca_file"` // CertFile is the path to the certificate for Consul communication CertFile string `mapstructure:"cert_file"` // KeyFile is the path to the private key for Consul communication KeyFile string `mapstructure:"key_file"` // ServerAutoJoin enables Nomad servers to find peers by querying Consul and // joining them ServerAutoJoin *bool `mapstructure:"server_auto_join"` // ClientAutoJoin enables Nomad servers to find addresses of Nomad servers // and register with them ClientAutoJoin *bool `mapstructure:"client_auto_join"` }
ConsulConfig contains the configuration information necessary to communicate with a Consul Agent in order to:
- Register services and their checks with Consul
- Bootstrap this Nomad Client with the list of Nomad Servers registered with Consul
Both the Agent and the executor need to be able to import ConsulConfig.
func DefaultConsulConfig ¶
func DefaultConsulConfig() *ConsulConfig
DefaultConsulConfig() returns the canonical defaults for the Nomad `consul` configuration.
func (*ConsulConfig) ApiConfig ¶
func (c *ConsulConfig) ApiConfig() (*consul.Config, error)
ApiConfig returns a usable Consul config that can be passed directly to hashicorp/consul/api. NOTE: datacenter is not set
func (*ConsulConfig) Copy ¶
func (c *ConsulConfig) Copy() *ConsulConfig
Copy returns a copy of this Consul config.
func (*ConsulConfig) Merge ¶
func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig
Merge merges two Consul Configurations together.
type KeyLoader ¶
type KeyLoader struct {
// contains filtered or unexported fields
}
func (*KeyLoader) GetClientCertificate ¶
func (k *KeyLoader) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)
GetClientCertificate fetches the currently-loaded certificate when the Server requests a certificate from the caller. This currently does not consider information in the ClientHello and only returns the certificate that was last loaded.
func (*KeyLoader) GetOutgoingCertificate ¶
func (k *KeyLoader) GetOutgoingCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)
GetOutgoingCertificate fetches the currently-loaded certificate when accepting a TLS connection. This currently does not consider information in the ClientHello and only returns the certificate that was last loaded.
func (*KeyLoader) LoadKeyPair ¶
func (k *KeyLoader) LoadKeyPair(certFile, keyFile string) (*tls.Certificate, error)
LoadKeyPair reloads the TLS certificate based on the specified certificate and key file. If successful, stores the certificate for further use.
type SentinelConfig ¶
type SentinelConfig struct { // Imports are the configured imports Imports []*SentinelImport `hcl:"import,expand"` }
SentinelConfig is configuration specific to Sentinel
func (*SentinelConfig) Merge ¶
func (a *SentinelConfig) Merge(b *SentinelConfig) *SentinelConfig
Merge is used to merge two Sentinel configs together. The settings from the input always take precedence.
type SentinelImport ¶
type SentinelImport struct { Name string `hcl:",key"` Path string `hcl:"path"` Args []string `hcl:"args"` }
SentinelImport is used per configured import
type TLSConfig ¶
type TLSConfig struct { // EnableHTTP enabled TLS for http traffic to the Nomad server and clients EnableHTTP bool `mapstructure:"http"` // EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers EnableRPC bool `mapstructure:"rpc"` // VerifyServerHostname is used to enable hostname verification of servers. This // ensures that the certificate presented is valid for server.<region>.nomad // This prevents a compromised client from being restarted as a server, and then // intercepting request traffic as well as being added as a raft peer. This should be // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break // existing clients. VerifyServerHostname bool `mapstructure:"verify_server_hostname"` // CAFile is a path to a certificate authority file. This is used with VerifyIncoming // or VerifyOutgoing to verify the TLS connection. CAFile string `mapstructure:"ca_file"` // CertFile is used to provide a TLS certificate that is used for serving TLS connections. // Must be provided to serve TLS connections. CertFile string `mapstructure:"cert_file"` // KeyLoader is a helper to dynamically reload TLS configuration KeyLoader *KeyLoader // KeyFile is used to provide a TLS key that is used for serving TLS connections. // Must be provided to serve TLS connections. KeyFile string `mapstructure:"key_file"` // RPCUpgradeMode should be enabled when a cluster is being upgraded // to TLS. Allows servers to accept both plaintext and TLS connections and // should only be a temporary state. RPCUpgradeMode bool `mapstructure:"rpc_upgrade_mode"` // Verify connections to the HTTPS API VerifyHTTPSClient bool `mapstructure:"verify_https_client"` // Checksum is a MD5 hash of the certificate CA File, Certificate file, and // key file. Checksum string // contains filtered or unexported fields }
TLSConfig provides TLS related configuration
func (*TLSConfig) CertificateInfoIsEqual ¶
CertificateInfoIsEqual compares the fields of two TLS configuration objects for the fields that are specific to configuring a TLS connection It is possible for either the calling TLSConfig to be nil, or the TLSConfig that it is being compared against, so we need to handle both places. See server.go Reload for example.
func (*TLSConfig) Copy ¶
Copy copies the fields of TLSConfig to another TLSConfig object. Required as to not copy mutexes between objects.
func (*TLSConfig) GetKeyLoader ¶
GetKeyLoader returns the keyloader for a TLSConfig object. If the keyloader has not been initialized, it will first do so.
func (*TLSConfig) SetChecksum ¶
SetChecksum generates and sets the checksum for a TLS configuration
type VaultConfig ¶
type VaultConfig struct { // Enabled enables or disables Vault support. Enabled *bool `mapstructure:"enabled"` // Token is the Vault token given to Nomad such that it can // derive child tokens. Nomad will renew this token at half its lease // lifetime. Token string `mapstructure:"token"` // Role sets the role in which to create tokens from. The Token given to // Nomad does not have to be created from this role but must have "update" // capability on "auth/token/create/<create_from_role>". If this value is // unset and the token is created from a role, the value is defaulted to the // role the token is from. Role string `mapstructure:"create_from_role"` // AllowUnauthenticated allows users to submit jobs requiring Vault tokens // without providing a Vault token proving they have access to these // policies. AllowUnauthenticated *bool `mapstructure:"allow_unauthenticated"` // TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used // by the client. There should be a minimum time value such that the client // does not have to renew with Vault at a very high frequency TaskTokenTTL string `mapstructure:"task_token_ttl"` // Addr is the address of the local Vault agent. This should be a complete // URL such as "http://vault.example.com" Addr string `mapstructure:"address"` // ConnectionRetryIntv is the interval to wait before re-attempting to // connect to Vault. ConnectionRetryIntv time.Duration // TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the // Vault server SSL certificate. TLSCaFile string `mapstructure:"ca_file"` // TLSCaFile is the path to a directory of PEM-encoded CA cert files to // verify the Vault server SSL certificate. TLSCaPath string `mapstructure:"ca_path"` // TLSCertFile is the path to the certificate for Vault communication TLSCertFile string `mapstructure:"cert_file"` // TLSKeyFile is the path to the private key for Vault communication TLSKeyFile string `mapstructure:"key_file"` // TLSSkipVerify enables or disables SSL verification TLSSkipVerify *bool `mapstructure:"tls_skip_verify"` // TLSServerName, if set, is used to set the SNI host when connecting via TLS. TLSServerName string `mapstructure:"tls_server_name"` }
VaultConfig contains the configuration information necessary to communicate with Vault in order to:
- Renew Vault tokens/leases.
- Pass a token for the Nomad Server to derive sub-tokens.
- Create child tokens with policy subsets of the Server's token.
func DefaultVaultConfig ¶
func DefaultVaultConfig() *VaultConfig
DefaultVaultConfig() returns the canonical defaults for the Nomad `vault` configuration.
func (*VaultConfig) AllowsUnauthenticated ¶
func (a *VaultConfig) AllowsUnauthenticated() bool
AllowsUnauthenticated returns whether the config allows unauthenticated access to Vault
func (*VaultConfig) ApiConfig ¶
func (c *VaultConfig) ApiConfig() (*vault.Config, error)
ApiConfig() returns a usable Vault config that can be passed directly to hashicorp/vault/api.
func (*VaultConfig) Copy ¶
func (c *VaultConfig) Copy() *VaultConfig
Copy returns a copy of this Vault config.
func (*VaultConfig) IsEnabled ¶
func (a *VaultConfig) IsEnabled() bool
IsEnabled returns whether the config enables Vault integration
func (*VaultConfig) Merge ¶
func (a *VaultConfig) Merge(b *VaultConfig) *VaultConfig
Merge merges two Vault configurations together.