config

package
v0.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 20, 2017 License: MPL-2.0 Imports: 9 Imported by: 0

README

Overview

nomad/structs/config is a package for configuration structs that are shared among packages that needs the same struct definitions, but can't import each other without creating a cyle. This config package must be terminal in the import graph (or very close to terminal in the dependency graph).

Documentation

Index

Constants

View Source
const (
	// DefaultVaultConnectRetryIntv is the retry interval between trying to
	// connect to Vault
	DefaultVaultConnectRetryIntv = 30 * time.Second
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ConsulConfig

type ConsulConfig struct {
	// ServerServiceName is the name of the service that Nomad uses to register
	// servers with Consul
	ServerServiceName string `mapstructure:"server_service_name"`

	// ClientServiceName is the name of the service that Nomad uses to register
	// clients with Consul
	ClientServiceName string `mapstructure:"client_service_name"`

	// AutoAdvertise determines if this Nomad Agent will advertise its
	// services via Consul.  When true, Nomad Agent will register
	// services with Consul.
	AutoAdvertise *bool `mapstructure:"auto_advertise"`

	// ChecksUseAdvertise specifies that Consul checks should use advertise
	// address instead of bind address
	ChecksUseAdvertise *bool `mapstructure:"checks_use_advertise"`

	// Addr is the address of the local Consul agent
	Addr string `mapstructure:"address"`

	// Timeout is used by Consul HTTP Client
	Timeout time.Duration `mapstructure:"timeout"`

	// Token is used to provide a per-request ACL token. This options overrides
	// the agent's default token
	Token string `mapstructure:"token"`

	// Auth is the information to use for http access to Consul agent
	Auth string `mapstructure:"auth"`

	// EnableSSL sets the transport scheme to talk to the Consul agent as https
	EnableSSL *bool `mapstructure:"ssl"`

	// VerifySSL enables or disables SSL verification when the transport scheme
	// for the consul api client is https
	VerifySSL *bool `mapstructure:"verify_ssl"`

	// CAFile is the path to the ca certificate used for Consul communication
	CAFile string `mapstructure:"ca_file"`

	// CertFile is the path to the certificate for Consul communication
	CertFile string `mapstructure:"cert_file"`

	// KeyFile is the path to the private key for Consul communication
	KeyFile string `mapstructure:"key_file"`

	// ServerAutoJoin enables Nomad servers to find peers by querying Consul and
	// joining them
	ServerAutoJoin *bool `mapstructure:"server_auto_join"`

	// ClientAutoJoin enables Nomad servers to find addresses of Nomad servers
	// and register with them
	ClientAutoJoin *bool `mapstructure:"client_auto_join"`
}

ConsulConfig contains the configuration information necessary to communicate with a Consul Agent in order to:

- Register services and their checks with Consul

  • Bootstrap this Nomad Client with the list of Nomad Servers registered with Consul

Both the Agent and the executor need to be able to import ConsulConfig.

func DefaultConsulConfig

func DefaultConsulConfig() *ConsulConfig

DefaultConsulConfig() returns the canonical defaults for the Nomad `consul` configuration.

func (*ConsulConfig) ApiConfig

func (c *ConsulConfig) ApiConfig() (*consul.Config, error)

ApiConfig returns a usable Consul config that can be passed directly to hashicorp/consul/api. NOTE: datacenter is not set

func (*ConsulConfig) Copy added in v0.5.0

func (c *ConsulConfig) Copy() *ConsulConfig

Copy returns a copy of this Consul config.

func (*ConsulConfig) Merge

func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig

Merge merges two Consul Configurations together.

type KeyLoader added in v0.7.1

type KeyLoader struct {
	// contains filtered or unexported fields
}

func (*KeyLoader) Copy added in v0.7.1

func (k *KeyLoader) Copy() *KeyLoader

func (*KeyLoader) GetClientCertificate added in v0.7.1

func (k *KeyLoader) GetClientCertificate(*tls.CertificateRequestInfo) (*tls.Certificate, error)

GetClientCertificate fetches the currently-loaded certificate when the Server requests a certificate from the caller. This currently does not consider information in the ClientHello and only returns the certificate that was last loaded.

func (*KeyLoader) GetOutgoingCertificate added in v0.7.1

func (k *KeyLoader) GetOutgoingCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)

GetOutgoingCertificate fetches the currently-loaded certificate when accepting a TLS connection. This currently does not consider information in the ClientHello and only returns the certificate that was last loaded.

func (*KeyLoader) LoadKeyPair added in v0.7.1

func (k *KeyLoader) LoadKeyPair(certFile, keyFile string) (*tls.Certificate, error)

LoadKeyPair reloads the TLS certificate based on the specified certificate and key file. If successful, stores the certificate for further use.

type SentinelConfig added in v0.7.0

type SentinelConfig struct {
	// Imports are the configured imports
	Imports []*SentinelImport `hcl:"import,expand"`
}

SentinelConfig is configuration specific to Sentinel

func (*SentinelConfig) Merge added in v0.7.0

Merge is used to merge two Sentinel configs together. The settings from the input always take precedence.

type SentinelImport added in v0.7.0

type SentinelImport struct {
	Name string   `hcl:",key"`
	Path string   `hcl:"path"`
	Args []string `hcl:"args"`
}

SentinelImport is used per configured import

type TLSConfig added in v0.5.0

type TLSConfig struct {

	// EnableHTTP enabled TLS for http traffic to the Nomad server and clients
	EnableHTTP bool `mapstructure:"http"`

	// EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers
	EnableRPC bool `mapstructure:"rpc"`

	// VerifyServerHostname is used to enable hostname verification of servers. This
	// ensures that the certificate presented is valid for server.<region>.nomad
	// This prevents a compromised client from being restarted as a server, and then
	// intercepting request traffic as well as being added as a raft peer. This should be
	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
	// existing clients.
	VerifyServerHostname bool `mapstructure:"verify_server_hostname"`

	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
	// or VerifyOutgoing to verify the TLS connection.
	CAFile string `mapstructure:"ca_file"`

	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
	// Must be provided to serve TLS connections.
	CertFile string `mapstructure:"cert_file"`

	// KeyLoader is a helper to dynamically reload TLS configuration
	KeyLoader *KeyLoader

	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
	// Must be provided to serve TLS connections.
	KeyFile string `mapstructure:"key_file"`

	// RPCUpgradeMode should be enabled when a cluster is being upgraded
	// to TLS. Allows servers to accept both plaintext and TLS connections and
	// should only be a temporary state.
	RPCUpgradeMode bool `mapstructure:"rpc_upgrade_mode"`

	// Verify connections to the HTTPS API
	VerifyHTTPSClient bool `mapstructure:"verify_https_client"`
	// contains filtered or unexported fields
}

TLSConfig provides TLS related configuration

func (*TLSConfig) Copy added in v0.7.1

func (t *TLSConfig) Copy() *TLSConfig

Copy copies the fields of TLSConfig to another TLSConfig object. Required as to not copy mutexes between objects.

func (*TLSConfig) GetKeyLoader added in v0.7.1

func (t *TLSConfig) GetKeyLoader() *KeyLoader

GetKeyLoader returns the keyloader for a TLSConfig object. If the keyloader has not been initialized, it will first do so.

func (*TLSConfig) Merge added in v0.5.0

func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig

Merge is used to merge two TLS configs together

type VaultConfig added in v0.5.0

type VaultConfig struct {

	// Enabled enables or disables Vault support.
	Enabled *bool `mapstructure:"enabled"`

	// Token is the Vault token given to Nomad such that it can
	// derive child tokens. Nomad will renew this token at half its lease
	// lifetime.
	Token string `mapstructure:"token"`

	// Role sets the role in which to create tokens from. The Token given to
	// Nomad does not have to be created from this role but must have "update"
	// capability on "auth/token/create/<create_from_role>". If this value is
	// unset and the token is created from a role, the value is defaulted to the
	// role the token is from.
	Role string `mapstructure:"create_from_role"`

	// AllowUnauthenticated allows users to submit jobs requiring Vault tokens
	// without providing a Vault token proving they have access to these
	// policies.
	AllowUnauthenticated *bool `mapstructure:"allow_unauthenticated"`

	// TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used
	// by the client.  There should be a minimum time value such that the client
	// does not have to renew with Vault at a very high frequency
	TaskTokenTTL string `mapstructure:"task_token_ttl"`

	// Addr is the address of the local Vault agent. This should be a complete
	// URL such as "http://vault.example.com"
	Addr string `mapstructure:"address"`

	// ConnectionRetryIntv is the interval to wait before re-attempting to
	// connect to Vault.
	ConnectionRetryIntv time.Duration

	// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
	// Vault server SSL certificate.
	TLSCaFile string `mapstructure:"ca_file"`

	// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
	// verify the Vault server SSL certificate.
	TLSCaPath string `mapstructure:"ca_path"`

	// TLSCertFile is the path to the certificate for Vault communication
	TLSCertFile string `mapstructure:"cert_file"`

	// TLSKeyFile is the path to the private key for Vault communication
	TLSKeyFile string `mapstructure:"key_file"`

	// TLSSkipVerify enables or disables SSL verification
	TLSSkipVerify *bool `mapstructure:"tls_skip_verify"`

	// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
	TLSServerName string `mapstructure:"tls_server_name"`
}

VaultConfig contains the configuration information necessary to communicate with Vault in order to:

- Renew Vault tokens/leases.

- Pass a token for the Nomad Server to derive sub-tokens.

- Create child tokens with policy subsets of the Server's token.

func DefaultVaultConfig added in v0.5.0

func DefaultVaultConfig() *VaultConfig

DefaultVaultConfig() returns the canonical defaults for the Nomad `vault` configuration.

func (*VaultConfig) AllowsUnauthenticated added in v0.5.0

func (a *VaultConfig) AllowsUnauthenticated() bool

AllowsUnauthenticated returns whether the config allows unauthenticated access to Vault

func (*VaultConfig) ApiConfig added in v0.5.0

func (c *VaultConfig) ApiConfig() (*vault.Config, error)

ApiConfig() returns a usable Vault config that can be passed directly to hashicorp/vault/api.

func (*VaultConfig) Copy added in v0.5.0

func (c *VaultConfig) Copy() *VaultConfig

Copy returns a copy of this Vault config.

func (*VaultConfig) IsEnabled added in v0.5.0

func (a *VaultConfig) IsEnabled() bool

IsEnabled returns whether the config enables Vault integration

func (*VaultConfig) Merge added in v0.5.0

func (a *VaultConfig) Merge(b *VaultConfig) *VaultConfig

Merge merges two Vault configurations together.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL