homelab/traefik
1
0
Fork 0
Code Activity

Add Support for Consul Connect

Browse source 
Co-authored-by: Florian Apolloner <apollo13@users.noreply.github.com>
This commit is contained in:
Mohammad Gufran 2021-07-15 17:32:11 +05:30 committed by GitHub
parent 3a180e2afc
commit 7e43e5615e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
36 changed files with 2118 additions and 644 deletions
Download patch file Download diff file Expand all files Collapse all files

36
pkg/provider/consulcatalog/config.go
View file

@ -14,7 +14,7 @@ import (
"github.com/traefik/traefik/v2/pkg/provider/constraints"
)
func (p *Provider) buildConfiguration(ctx context.Context, items []itemData) *dynamic.Configuration {
func (p *Provider) buildConfiguration(ctx context.Context, items []itemData, certInfo *connectCert) *dynamic.Configuration {
configurations := make(map[string]*dynamic.Configuration)
for _, item := range items {
@ -42,6 +42,7 @@ func (p *Provider) buildConfiguration(ctx context.Context, items []itemData) *dy
logger.Error(err)
continue
}
provider.BuildTCPRouterConfiguration(ctxSvc, confFromLabel.TCP)
}
@ -63,6 +64,17 @@ func (p *Provider) buildConfiguration(ctx context.Context, items []itemData) *dy
continue
}
if item.ExtraConf.ConsulCatalog.Connect {
if confFromLabel.HTTP.ServersTransports == nil {
confFromLabel.HTTP.ServersTransports = make(map[string]*dynamic.ServersTransport)
}
serversTransportKey := itemServersTransportKey(item)
if confFromLabel.HTTP.ServersTransports[serversTransportKey] == nil {
confFromLabel.HTTP.ServersTransports[serversTransportKey] = certInfo.serversTransport(item)
}
}
err = p.buildServiceConfiguration(ctxSvc, item, confFromLabel.HTTP)
if err != nil {
logger.Error(err)
@ -93,13 +105,18 @@ func (p *Provider) keepContainer(ctx context.Context, item itemData) bool {
return false
}
if !p.ConnectAware && item.ExtraConf.ConsulCatalog.Connect {
logger.Debugf("Filtering out Connect aware item, Connect support is not enabled")
return false
}
matches, err := constraints.MatchTags(item.Tags, p.Constraints)
if err != nil {
logger.Errorf("Error matching constraints expression: %v", err)
logger.Errorf("Error matching constraint expressions: %v", err)
return false
}
if !matches {
logger.Debugf("Container pruned by constraint expression: %q", p.Constraints)
logger.Debugf("Container pruned by constraint expressions: %q", p.Constraints)
return false
}
@ -267,8 +284,19 @@ func (p *Provider) addServer(ctx context.Context, item itemData, loadBalancer *d
return errors.New("address is missing")
}
loadBalancer.Servers[0].URL = fmt.Sprintf("%s://%s", loadBalancer.Servers[0].Scheme, net.JoinHostPort(item.Address, port))
scheme := loadBalancer.Servers[0].Scheme
loadBalancer.Servers[0].Scheme = ""
if item.ExtraConf.ConsulCatalog.Connect {
loadBalancer.ServersTransport = itemServersTransportKey(item)
scheme = "https"
}
loadBalancer.Servers[0].URL = fmt.Sprintf("%s://%s", scheme, net.JoinHostPort(item.Address, port))
return nil
}
func itemServersTransportKey(item itemData) string {
return provider.Normalize("tls-" + item.Namespace + "-" + item.Datacenter + "-" + item.Name)
}

320
pkg/provider/consulcatalog/config_test.go
View file

@ -9,6 +9,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
"github.com/traefik/traefik/v2/pkg/tls"
)
func Int(v int) *int { return &v }
@ -65,6 +66,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -114,6 +116,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -156,6 +159,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -198,6 +202,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -245,6 +250,7 @@ func TestDefaultRule(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -265,11 +271,11 @@ func TestDefaultRule(t *testing.T) {
for i := 0; i < len(test.items); i++ {
var err error
test.items[i].ExtraConf, err = p.getConfiguration(test.items[i])
test.items[i].ExtraConf, err = p.getConfiguration(test.items[i].Labels)
require.NoError(t, err)
}
configuration := p.buildConfiguration(context.Background(), test.items)
configuration := p.buildConfiguration(context.Background(), test.items, nil)
assert.Equal(t, test.expected, configuration)
})
@ -278,10 +284,11 @@ func TestDefaultRule(t *testing.T) {
func Test_buildConfiguration(t *testing.T) {
testCases := []struct {
desc string
items []itemData
constraints string
expected *dynamic.Configuration
desc string
items []itemData
constraints string
ConnectAware bool
expected *dynamic.Configuration
}{
{
desc: "one container no label",
@ -326,6 +333,162 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
{
desc: "one connect container",
ConnectAware: true,
items: []itemData{
{
ID: "Test",
Node: "Node1",
Datacenter: "dc1",
Name: "dev/Test",
Namespace: "ns",
Address: "127.0.0.1",
Port: "443",
Status: api.HealthPassing,
Labels: map[string]string{
"traefik.consulcatalog.connect": "true",
},
Tags: nil,
},
},
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Services: map[string]*dynamic.TCPService{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
},
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"dev-Test": {
Service: "dev-Test",
Rule: "Host(`dev-Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"dev-Test": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://127.0.0.1:443",
},
},
PassHostHeader: Bool(true),
ServersTransport: "tls-ns-dc1-dev-Test",
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{
"tls-ns-dc1-dev-Test": {
ServerName: "ns-dc1-dev/Test",
InsecureSkipVerify: true,
RootCAs: []tls.FileOrContent{
"root",
},
Certificates: []tls.Certificate{
{
CertFile: "cert",
KeyFile: "key",
},
},
PeerCertURI: "spiffe:///ns/ns/dc/dc1/svc/dev/Test",
},
},
},
},
},
{
desc: "two connect containers on same service",
ConnectAware: true,
items: []itemData{
{
ID: "Test1",
Node: "Node1",
Datacenter: "dc1",
Name: "dev/Test",
Namespace: "ns",
Address: "127.0.0.1",
Port: "443",
Status: api.HealthPassing,
Labels: map[string]string{
"traefik.consulcatalog.connect": "true",
},
Tags: nil,
},
{
ID: "Test2",
Node: "Node2",
Datacenter: "dc1",
Name: "dev/Test",
Namespace: "ns",
Address: "127.0.0.2",
Port: "444",
Status: api.HealthPassing,
Labels: map[string]string{
"traefik.consulcatalog.connect": "true",
},
Tags: nil,
},
},
expected: &dynamic.Configuration{
TCP: &dynamic.TCPConfiguration{
Routers: map[string]*dynamic.TCPRouter{},
Services: map[string]*dynamic.TCPService{},
Middlewares: map[string]*dynamic.TCPMiddleware{},
},
UDP: &dynamic.UDPConfiguration{
Routers: map[string]*dynamic.UDPRouter{},
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{
"dev-Test": {
Service: "dev-Test",
Rule: "Host(`dev-Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{
"dev-Test": {
LoadBalancer: &dynamic.ServersLoadBalancer{
Servers: []dynamic.Server{
{
URL: "https://127.0.0.1:443",
},
{
URL: "https://127.0.0.2:444",
},
},
PassHostHeader: Bool(true),
ServersTransport: "tls-ns-dc1-dev-Test",
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{
"tls-ns-dc1-dev-Test": {
ServerName: "ns-dc1-dev/Test",
InsecureSkipVerify: true,
RootCAs: []tls.FileOrContent{
"root",
},
Certificates: []tls.Certificate{
{
CertFile: "cert",
KeyFile: "key",
},
},
PeerCertURI: "spiffe:///ns/ns/dc/dc1/svc/dev/Test",
},
},
},
},
},
@ -395,6 +558,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -453,6 +617,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -508,6 +673,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -566,6 +732,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -613,6 +780,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -662,6 +830,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -709,6 +878,7 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`foo.com`)",
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -757,6 +927,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -811,6 +982,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -854,8 +1026,9 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -910,8 +1083,9 @@ func Test_buildConfiguration(t *testing.T) {
Rule: "Host(`Test.traefik.wtf`)",
},
},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -972,6 +1146,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1025,6 +1200,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1090,6 +1266,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1149,6 +1326,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1224,6 +1402,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1280,6 +1459,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1350,6 +1530,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1412,6 +1593,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1459,6 +1641,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1507,6 +1690,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1560,6 +1744,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1586,9 +1771,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1616,9 +1802,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1646,9 +1833,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1676,9 +1864,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1708,9 +1897,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1759,6 +1949,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1817,6 +2008,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1870,9 +2062,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1919,9 +2112,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -1965,9 +2159,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2007,9 +2202,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2059,9 +2255,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2106,9 +2303,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2195,6 +2393,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2277,6 +2476,7 @@ func Test_buildConfiguration(t *testing.T) {
},
},
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2316,9 +2516,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2357,9 +2558,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.TCPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2400,9 +2602,10 @@ func Test_buildConfiguration(t *testing.T) {
Services: map[string]*dynamic.UDPService{},
},
HTTP: &dynamic.HTTPConfiguration{
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
Routers: map[string]*dynamic.Router{},
Middlewares: map[string]*dynamic.Middleware{},
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
},
},
@ -2417,15 +2620,16 @@ func Test_buildConfiguration(t *testing.T) {
p := Provider{
ExposedByDefault: true,
DefaultRule: "Host(`{{ normalize .Name }}.traefik.wtf`)",
ConnectAware: test.ConnectAware,
Constraints: test.constraints,
}
p.Constraints = test.constraints
err := p.Init()
require.NoError(t, err)
for i := 0; i < len(test.items); i++ {
var err error
test.items[i].ExtraConf, err = p.getConfiguration(test.items[i])
test.items[i].ExtraConf, err = p.getConfiguration(test.items[i].Labels)
require.NoError(t, err)
var tags []string
@ -2435,7 +2639,13 @@ func Test_buildConfiguration(t *testing.T) {
test.items[i].Tags = tags
}
configuration := p.buildConfiguration(context.Background(), test.items)
configuration := p.buildConfiguration(context.Background(), test.items, &connectCert{
root: []string{"root"},
leaf: keyPair{
cert: "cert",
key: "key",
},
})
assert.Equal(t, test.expected, configuration)
})

74
pkg/provider/consulcatalog/connect_tls.go Normal file
View file

@ -0,0 +1,74 @@
package consulcatalog
import (
"fmt"
"github.com/hashicorp/consul/agent/connect"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
)
// connectCert holds our certificates as a client of the Consul Connect protocol.
type connectCert struct {
root []string
leaf keyPair
// err is used to propagate to the caller (Provide) any error occurring within the certificate watcher goroutines.
err error
}
func (c *connectCert) getRoot() []traefiktls.FileOrContent {
var result []traefiktls.FileOrContent
for _, r := range c.root {
result = append(result, traefiktls.FileOrContent(r))
}
return result
}
func (c *connectCert) getLeaf() traefiktls.Certificate {
return traefiktls.Certificate{
CertFile: traefiktls.FileOrContent(c.leaf.cert),
KeyFile: traefiktls.FileOrContent(c.leaf.key),
}
}
func (c *connectCert) isReady() bool {
return c != nil && len(c.root) > 0 && c.leaf.cert != "" && c.leaf.key != ""
}
func (c *connectCert) equals(other *connectCert) bool {
if c == nil && other == nil {
return true
}
if c == nil || other == nil {
return false
}
if len(c.root) != len(other.root) {
return false
}
for i, v := range c.root {
if v != other.root[i] {
return false
}
}
return c.leaf == other.leaf
}
func (c *connectCert) serversTransport(item itemData) *dynamic.ServersTransport {
spiffeIDService := connect.SpiffeIDService{
Namespace: item.Namespace,
Datacenter: item.Datacenter,
Service: item.Name,
}
return &dynamic.ServersTransport{
// This ensures that the config changes whenever the verifier function changes
ServerName: fmt.Sprintf("%s-%s-%s", item.Namespace, item.Datacenter, item.Name),
// InsecureSkipVerify is needed because Go wants to verify a hostname otherwise
InsecureSkipVerify: true,
RootCAs: c.getRoot(),
Certificates: traefiktls.Certificates{
c.getLeaf(),
},
PeerCertURI: spiffeIDService.URI().String(),
}
}

335
pkg/provider/consulcatalog/consul_catalog.go
View file

@ -4,12 +4,14 @@ import (
"context"
"fmt"
"strconv"
"strings"
"text/template"
"time"
"github.com/cenkalti/backoff/v4"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/api/watch"
"github.com/hashicorp/go-hclog"
"github.com/sirupsen/logrus"
ptypes "github.com/traefik/paerser/types"
"github.com/traefik/traefik/v2/pkg/config/dynamic"
"github.com/traefik/traefik/v2/pkg/job"
@ -26,15 +28,17 @@ const DefaultTemplateRule = "Host(`{{ normalize .Name }}`)"
var _ provider.Provider = (*Provider)(nil)
type itemData struct {
ID string
Node string
Name string
Address string
Port string
Status string
Labels map[string]string
Tags []string
ExtraConf configuration
ID string
Node string
Datacenter string
Name string
Namespace string
Address string
Port string
Status string
Labels map[string]string
Tags []string
ExtraConf configuration
}
// Provider holds configurations of the provider.
@ -48,9 +52,13 @@ type Provider struct {
Cache bool `description:"Use local agent caching for catalog reads." json:"cache,omitempty" toml:"cache,omitempty" yaml:"cache,omitempty" export:"true"`
ExposedByDefault bool `description:"Expose containers by default." json:"exposedByDefault,omitempty" toml:"exposedByDefault,omitempty" yaml:"exposedByDefault,omitempty" export:"true"`
DefaultRule string `description:"Default rule." json:"defaultRule,omitempty" toml:"defaultRule,omitempty" yaml:"defaultRule,omitempty"`
ConnectAware bool `description:"Enable Consul Connect support." json:"connectAware,omitempty" toml:"connectAware,omitempty" yaml:"connectAware,omitempty" export:"true"`
ConnectByDefault bool `description:"Consider every service as Connect capable by default." json:"connectByDefault,omitempty" toml:"connectByDefault,omitempty" yaml:"connectByDefault,omitempty" export:"true"`
ServiceName string `description:"Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually)." json:"serviceName,omitempty" toml:"serviceName,omitempty" yaml:"serviceName,omitempty" export:"true"`
client *api.Client
defaultRuleTpl *template.Template
certChan chan *connectCert
}
// EndpointConfig holds configurations of the endpoint.
@ -64,11 +72,6 @@ type EndpointConfig struct {
EndpointWaitTime ptypes.Duration `description:"WaitTime limits how long a Watch will block. If not provided, the agent default values will be used" json:"endpointWaitTime,omitempty" toml:"endpointWaitTime,omitempty" yaml:"endpointWaitTime,omitempty" export:"true"`
}
// SetDefaults sets the default values.
func (c *EndpointConfig) SetDefaults() {
c.Address = "127.0.0.1:8500"
}
// EndpointHTTPAuthConfig holds configurations of the authentication.
type EndpointHTTPAuthConfig struct {
Username string `description:"Basic Auth username" json:"username,omitempty" toml:"username,omitempty" yaml:"username,omitempty"`
@ -78,12 +81,13 @@ type EndpointHTTPAuthConfig struct {
// SetDefaults sets the default values.
func (p *Provider) SetDefaults() {
endpoint := &EndpointConfig{}
endpoint.SetDefaults()
p.Endpoint = endpoint
p.RefreshInterval = ptypes.Duration(15 * time.Second)
p.Prefix = "traefik"
p.ExposedByDefault = true
p.DefaultRule = DefaultTemplateRule
p.ServiceName = "traefik"
p.certChan = make(chan *connectCert)
}
// Init the provider.
@ -99,6 +103,24 @@ func (p *Provider) Init() error {
// Provide allows the consul catalog provider to provide configurations to traefik using the given configuration channel.
func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.Pool) error {
var err error
p.client, err = createClient(p.Endpoint)
if err != nil {
return fmt.Errorf("unable to create consul client: %w", err)
}
if p.ConnectAware {
leafWatcher, rootWatcher, err := p.createConnectTLSWatchers()
if err != nil {
return fmt.Errorf("unable to create consul watch plans: %w", err)
}
pool.GoCtx(func(routineCtx context.Context) {
p.watchConnectTLS(routineCtx, leafWatcher, rootWatcher)
})
}
var certInfo *connectCert
pool.GoCtx(func(routineCtx context.Context) {
ctxLog := log.With(routineCtx, log.Str(log.ProviderName, "consulcatalog"))
logger := log.FromContext(ctxLog)
@ -106,13 +128,25 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
operation := func() error {
var err error
p.client, err = createClient(p.Endpoint)
if err != nil {
return fmt.Errorf("unable to create consul client: %w", err)
// If we are running in connect aware mode then we need to
// make sure that we obtain the certificates before starting
// the service watcher, otherwise a connect enabled service
// that gets resolved before the certificates are available
// will cause an error condition.
if p.ConnectAware && !certInfo.isReady() {
logger.Infof("Waiting for Connect certificate before building first configuration")
select {
case <-routineCtx.Done():
return nil
case certInfo = <-p.certChan:
if certInfo.err != nil {
return backoff.Permanent(err)
}
}
}
// get configuration at the provider's startup.
err = p.loadConfiguration(routineCtx, configurationChan)
err = p.loadConfiguration(ctxLog, certInfo, configurationChan)
if err != nil {
return fmt.Errorf("failed to get consul catalog data: %w", err)
}
@ -123,14 +157,17 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
for {
select {
case <-ticker.C:
err = p.loadConfiguration(routineCtx, configurationChan)
if err != nil {
return fmt.Errorf("failed to refresh consul catalog data: %w", err)
}
case <-routineCtx.Done():
return nil
case <-ticker.C:
case certInfo = <-p.certChan:
if certInfo.err != nil {
return backoff.Permanent(err)
}
}
err = p.loadConfiguration(ctxLog, certInfo, configurationChan)
if err != nil {
return fmt.Errorf("failed to refresh consul catalog data: %w", err)
}
}
}
@ -148,7 +185,7 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
return nil
}
func (p *Provider) loadConfiguration(ctx context.Context, configurationChan chan<- dynamic.Message) error {
func (p *Provider) loadConfiguration(ctx context.Context, certInfo *connectCert, configurationChan chan<- dynamic.Message) error {
data, err := p.getConsulServicesData(ctx)
if err != nil {
return err
@ -156,21 +193,53 @@ func (p *Provider) loadConfiguration(ctx context.Context, configurationChan chan
configurationChan <- dynamic.Message{
ProviderName: "consulcatalog",
Configuration: p.buildConfiguration(ctx, data),
Configuration: p.buildConfiguration(ctx, data, certInfo),
}
return nil
}
func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error) {
consulServiceNames, err := p.fetchServices(ctx)
// The query option "Filter" is not supported by /catalog/services.
// https://www.consul.io/api/catalog.html#list-services
opts := &api.QueryOptions{AllowStale: p.Stale, RequireConsistent: p.RequireConsistent, UseCache: p.Cache}
serviceNames, _, err := p.client.Catalog().Services(opts)
if err != nil {
return nil, err
}
var data []itemData
for _, name := range consulServiceNames {
consulServices, statuses, err := p.fetchService(ctx, name)
for name, tags := range serviceNames {
logger := log.FromContext(log.With(ctx, log.Str("serviceName", name)))
svcCfg, err := p.getConfiguration(tagsToNeutralLabels(tags, p.Prefix))
if err != nil {
logger.Errorf("Skip service: %v", err)
continue
}
if !svcCfg.Enable {
logger.Debug("Filtering disabled item")
continue
}
matches, err := constraints.MatchTags(tags, p.Constraints)
if err != nil {
logger.Errorf("Error matching constraint expressions: %v", err)
continue
}
if !matches {
logger.Debugf("Container pruned by constraint expressions: %q", p.Constraints)
continue
}
if !p.ConnectAware && svcCfg.ConsulCatalog.Connect {
logger.Debugf("Filtering out Connect aware item, Connect support is not enabled")
continue
}
consulServices, statuses, err := p.fetchService(ctx, name, svcCfg.ConsulCatalog.Connect)
if err != nil {
return nil, err
}
@ -181,23 +250,30 @@ func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error
address = consulService.Address
}
namespace := consulService.Namespace
if namespace == "" {
namespace = "default"
}
status, exists := statuses[consulService.ID+consulService.ServiceID]
if !exists {
status = api.HealthAny
}
item := itemData{
ID: consulService.ServiceID,
Node: consulService.Node,
Name: consulService.ServiceName,
Address: address,
Port: strconv.Itoa(consulService.ServicePort),
Labels: tagsToNeutralLabels(consulService.ServiceTags, p.Prefix),
Tags: consulService.ServiceTags,
Status: status,
ID: consulService.ServiceID,
Node: consulService.Node,
Datacenter: consulService.Datacenter,
Namespace: namespace,
Name: name,
Address: address,
Port: strconv.Itoa(consulService.ServicePort),
Labels: tagsToNeutralLabels(consulService.ServiceTags, p.Prefix),
Tags: consulService.ServiceTags,
Status: status,
}
extraConf, err := p.getConfiguration(item)
extraConf, err := p.getConfiguration(item.Labels)
if err != nil {
log.FromContext(ctx).Errorf("Skip item %s: %v", item.Name, err)
continue
@ -207,10 +283,11 @@ func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error
data = append(data, item)
}
}
return data, nil
}
func (p *Provider) fetchService(ctx context.Context, name string) ([]*api.CatalogService, map[string]string, error) {
func (p *Provider) fetchService(ctx context.Context, name string, connectEnabled bool) ([]*api.CatalogService, map[string]string, error) {
var tagFilter string
if !p.ExposedByDefault {
tagFilter = p.Prefix + ".enable=true"
@ -219,12 +296,19 @@ func (p *Provider) fetchService(ctx context.Context, name string) ([]*api.Catalo
opts := &api.QueryOptions{AllowStale: p.Stale, RequireConsistent: p.RequireConsistent, UseCache: p.Cache}
opts = opts.WithContext(ctx)
consulServices, _, err := p.client.Catalog().Service(name, tagFilter, opts)
catalogFunc := p.client.Catalog().Service
healthFunc := p.client.Health().Service
if connectEnabled {
catalogFunc = p.client.Catalog().Connect
healthFunc = p.client.Health().Connect
}
consulServices, _, err := catalogFunc(name, tagFilter, opts)
if err != nil {
return nil, nil, err
}
healthServices, _, err := p.client.Health().Service(name, tagFilter, false, opts)
healthServices, _, err := healthFunc(name, tagFilter, false, opts)
if err != nil {
return nil, nil, err
}
@ -243,55 +327,132 @@ func (p *Provider) fetchService(ctx context.Context, name string) ([]*api.Catalo
return consulServices, statuses, err
}
func (p *Provider) fetchServices(ctx context.Context) ([]string, error) {
// The query option "Filter" is not supported by /catalog/services.
// https://www.consul.io/api/catalog.html#list-services
opts := &api.QueryOptions{AllowStale: p.Stale, RequireConsistent: p.RequireConsistent, UseCache: p.Cache}
serviceNames, _, err := p.client.Catalog().Services(opts)
if err != nil {
return nil, err
func rootsWatchHandler(ctx context.Context, dest chan<- []string) func(watch.BlockingParamVal, interface{}) {
return func(_ watch.BlockingParamVal, raw interface{}) {
if raw == nil {
log.FromContext(ctx).Errorf("Root certificate watcher called with nil")
return
}
v, ok := raw.(*api.CARootList)
if !ok || v == nil {
log.FromContext(ctx).Errorf("Invalid result for root certificate watcher")
return
}
roots := make([]string, 0, len(v.Roots))
for _, root := range v.Roots {
roots = append(roots, root.RootCertPEM)
}
dest <- roots
}
// The keys are the service names, and the array values provide all known tags for a given service.
// https://www.consul.io/api/catalog.html#list-services
var filtered []string
for svcName, tags := range serviceNames {
logger := log.FromContext(log.With(ctx, log.Str("serviceName", svcName)))
if !p.ExposedByDefault && !contains(tags, p.Prefix+".enable=true") {
logger.Debug("Filtering disabled item")
continue
}
if contains(tags, p.Prefix+".enable=false") {
logger.Debug("Filtering disabled item")
continue
}
matches, err := constraints.MatchTags(tags, p.Constraints)
if err != nil {
logger.Errorf("Error matching constraints expression: %v", err)
continue
}
if !matches {
logger.Debugf("Container pruned by constraint expression: %q", p.Constraints)
continue
}
filtered = append(filtered, svcName)
}
return filtered, err
}
func contains(values []string, val string) bool {
for _, value := range values {
if strings.EqualFold(value, val) {
return true
type keyPair struct {
cert string
key string
}
func leafWatcherHandler(ctx context.Context, dest chan<- keyPair) func(watch.BlockingParamVal, interface{}) {
return func(_ watch.BlockingParamVal, raw interface{}) {
if raw == nil {
log.FromContext(ctx).Errorf("Leaf certificate watcher called with nil")
return
}
v, ok := raw.(*api.LeafCert)
if !ok || v == nil {
log.FromContext(ctx).Errorf("Invalid result for leaf certificate watcher")
return
}
dest <- keyPair{
cert: v.CertPEM,
key: v.PrivateKeyPEM,
}
}
}
func (p *Provider) createConnectTLSWatchers() (*watch.Plan, *watch.Plan, error) {
leafWatcher, err := watch.Parse(map[string]interface{}{
"type": "connect_leaf",
"service": p.ServiceName,
})
if err != nil {
return nil, nil, fmt.Errorf("failed to create leaf cert watcher plan: %w", err)
}
rootWatcher, err := watch.Parse(map[string]interface{}{
"type": "connect_roots",
})
if err != nil {
return nil, nil, fmt.Errorf("failed to create root cert watcher plan: %w", err)
}
return leafWatcher, rootWatcher, nil
}
// watchConnectTLS watches for updates of the root certificate or the leaf
// certificate, and transmits them to the caller via p.certChan. Any error is also
// propagated up through p.certChan, in connectCert.err.
func (p *Provider) watchConnectTLS(ctx context.Context, leafWatcher *watch.Plan, rootWatcher *watch.Plan) {
ctxLog := log.With(ctx, log.Str(log.ProviderName, "consulcatalog"))
logger := log.FromContext(ctxLog)
leafChan := make(chan keyPair)
rootChan := make(chan []string)
leafWatcher.HybridHandler = leafWatcherHandler(ctx, leafChan)
rootWatcher.HybridHandler = rootsWatchHandler(ctx, rootChan)
logOpts := &hclog.LoggerOptions{
Name: "consulcatalog",
Level: hclog.LevelFromString(logrus.GetLevel().String()),
JSONFormat: true,
}
hclogger := hclog.New(logOpts)
go func() {
err := leafWatcher.RunWithClientAndHclog(p.client, hclogger)
if err != nil {
p.certChan <- &connectCert{err: err}
}
}()
go func() {
err := rootWatcher.RunWithClientAndHclog(p.client, hclogger)
if err != nil {
p.certChan <- &connectCert{err: err}
}
}()
var (
certInfo *connectCert
leafCerts keyPair
rootCerts []string
)
for {
select {
case <-ctx.Done():
leafWatcher.Stop()
rootWatcher.Stop()
return
case rootCerts = <-rootChan:
case leafCerts = <-leafChan:
}
newCertInfo := &connectCert{
root: rootCerts,
leaf: leafCerts,
}
if newCertInfo.isReady() && !newCertInfo.equals(certInfo) {
logger.Debugf("Updating connect certs for service %s", p.ServiceName)
certInfo = newCertInfo
p.certChan <- newCertInfo
}
}
return false
}
func createClient(cfg *EndpointConfig) (*api.Client, error) {

14
pkg/provider/consulcatalog/label.go
View file

@ -6,15 +6,21 @@ import (
// configuration Contains information from the labels that are globals (not related to the dynamic configuration) or specific to the provider.
type configuration struct {
Enable bool
Enable bool
ConsulCatalog specificConfiguration
}
func (p *Provider) getConfiguration(item itemData) (configuration, error) {
type specificConfiguration struct {
Connect bool
}
func (p *Provider) getConfiguration(labels map[string]string) (configuration, error) {
conf := configuration{
Enable: p.ExposedByDefault,
Enable: p.ExposedByDefault,
ConsulCatalog: specificConfiguration{Connect: p.ConnectByDefault},
}
err := label.Decode(item.Labels, &conf, "traefik.consulcatalog.", "traefik.enable")
err := label.Decode(labels, &conf, "traefik.consulcatalog.", "traefik.enable")
if err != nil {
return configuration{}, err
}