structs

package
Version: v1.10.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 15, 2021 License: MPL-2.0 Imports: 39 Imported by: 684

Documentation

Index

Constants

View Source
const (

	// This policy gives unlimited access to everything. Users
	// may rename if desired but cannot delete or modify the rules.
	ACLPolicyGlobalManagementID = "00000000-0000-0000-0000-000000000001"
	ACLPolicyGlobalManagement   = `
acl = "write"
agent_prefix "" {
	policy = "write"
}
event_prefix "" {
	policy = "write"
}
key_prefix "" {
	policy = "write"
}
keyring = "write"
node_prefix "" {
	policy = "write"
}
operator = "write"
query_prefix "" {
	policy = "write"
}
service_prefix "" {
	policy = "write"
	intentions = "write"
}
session_prefix "" {
	policy = "write"
}` + EnterpriseACLPolicyGlobalManagement

	// This is the policy ID for anonymous access. This is configurable by the
	// user.
	ACLTokenAnonymousID = "00000000-0000-0000-0000-000000000002"

	ACLReservedPrefix = "00000000-0000-0000-0000-0000000000"
)
View Source
const (
	// BindingRuleBindTypeService is the binding rule bind type that
	// assigns a Service Identity to the token that is created using the value
	// of the computed BindName as the ServiceName like:
	//
	// &ACLToken{
	//   ...other fields...
	//   ServiceIdentities: []*ACLServiceIdentity{
	//     &ACLServiceIdentity{
	//       ServiceName: "<computed BindName>",
	//     },
	//   },
	// }
	BindingRuleBindTypeService = "service"

	// BindingRuleBindTypeRole is the binding rule bind type that only allows
	// the binding rule to function if a role with the given name (BindName)
	// exists at login-time. If it does the token that is created is directly
	// linked to that role like:
	//
	// &ACLToken{
	//   ...other fields...
	//   Roles: []ACLTokenRoleLink{
	//     { Name: "<computed BindName>" }
	//   }
	// }
	//
	// If it does not exist at login-time the rule is ignored.
	BindingRuleBindTypeRole = "role"

	// BindingRuleBindTypeNode is the binding rule bind type that assigns
	// a Node Identity to the token that is created using the value of
	// the computed BindName as the NodeName like:
	//
	// &ACLToken{
	//   ...other fields...
	//   NodeIdentities: []*ACLNodeIdentity{
	//     &ACLNodeIdentity{
	//       NodeName: "<computed BindName>",
	//       Datacenter: "<local datacenter of the binding rule>"
	//     }
	//   }
	// }
	BindingRuleBindTypeNode = "node"
)
View Source
const (
	// ACLTokenTypeClient tokens have rules applied
	ACLTokenTypeClient = "client"

	// ACLTokenTypeManagement tokens have an always allow policy, so they can
	// make other tokens and can access all resources.
	ACLTokenTypeManagement = "management"

	// ACLTokenTypeNone
	ACLTokenTypeNone = ""
)
View Source
const (
	SerfCheckID           types.CheckID = "serfHealth"
	SerfCheckName                       = "Serf Health Status"
	SerfCheckAliveOutput                = "Agent alive and reachable"
	SerfCheckFailedOutput               = "Agent not live or unreachable"
)

These are used to manage the built-in "serfHealth" check that's attached to every node in the catalog.

View Source
const (
	// These are used to manage the "consul" service that's attached to every
	// Consul server node in the catalog.
	ConsulServiceID   = "consul"
	ConsulServiceName = "consul"
)
View Source
const (
	ServiceDefaults    string = "service-defaults"
	ProxyDefaults      string = "proxy-defaults"
	ServiceRouter      string = "service-router"
	ServiceSplitter    string = "service-splitter"
	ServiceResolver    string = "service-resolver"
	IngressGateway     string = "ingress-gateway"
	TerminatingGateway string = "terminating-gateway"
	ServiceIntentions  string = "service-intentions"
	MeshConfig         string = "mesh"

	ProxyConfigGlobal string = "global"
	MeshConfigMesh    string = "mesh"

	DefaultServiceProtocol = "tcp"
)
View Source
const (
	// Names of Envoy's LB policies
	LBPolicyMaglev       = "maglev"
	LBPolicyRingHash     = "ring_hash"
	LBPolicyRandom       = "random"
	LBPolicyLeastRequest = "least_request"
	LBPolicyRoundRobin   = "round_robin"

	// Names of Envoy's LB policies
	HashPolicyCookie     = "cookie"
	HashPolicyHeader     = "header"
	HashPolicyQueryParam = "query_parameter"
)
View Source
const (
	DefaultLeafCertTTL         = "72h"
	DefaultIntermediateCertTTL = "8760h" // 365 * 24h
)
View Source
const (
	ConsulCAProvider = "consul"
	VaultCAProvider  = "vault"
	AWSCAProvider    = "aws-pca"
)
View Source
const (
	// TODO (freddy) Should we have a TopologySourceMixed when there is a mix of proxy reg and tproxy?
	//				 Currently we label as proxy-registration if ANY instance has the explicit upstream definition.
	// TopologySourceRegistration is used to label upstreams or downstreams from explicit upstream definitions
	TopologySourceRegistration = "proxy-registration"

	// TopologySourceSpecificIntention is used to label upstreams or downstreams from specific intentions
	TopologySourceSpecificIntention = "specific-intention"

	// TopologySourceWildcardIntention is used to label upstreams or downstreams from wildcard intentions
	TopologySourceWildcardIntention = "wildcard-intention"

	// TopologySourceDefaultAllow is used to label upstreams or downstreams from default allow ACL policy
	TopologySourceDefaultAllow = "default-allow"
)
View Source
const (
	UpstreamDestTypeService       = "service"
	UpstreamDestTypePreparedQuery = "prepared_query"
)
View Source
const (
	DiscoveryGraphNodeTypeRouter   = "router"
	DiscoveryGraphNodeTypeSplitter = "splitter"
	DiscoveryGraphNodeTypeResolver = "resolver"
)
View Source
const (
	IntentionDataOriginLegacy        = "legacy"
	IntentionDataOriginConfigEntries = "config"
)
View Source
const (
	RegisterRequestType             MessageType = 0
	DeregisterRequestType                       = 1
	KVSRequestType                              = 2
	SessionRequestType                          = 3
	ACLRequestType                              = 4 // DEPRECATED (ACL-Legacy-Compat)
	TombstoneRequestType                        = 5
	CoordinateBatchUpdateType                   = 6
	PreparedQueryRequestType                    = 7
	TxnRequestType                              = 8
	AutopilotRequestType                        = 9
	AreaRequestType                             = 10
	ACLBootstrapRequestType                     = 11
	IntentionRequestType                        = 12
	ConnectCARequestType                        = 13
	ConnectCAProviderStateType                  = 14
	ConnectCAConfigType                         = 15 // FSM snapshots only.
	IndexRequestType                            = 16 // FSM snapshots only.
	ACLTokenSetRequestType                      = 17
	ACLTokenDeleteRequestType                   = 18
	ACLPolicySetRequestType                     = 19
	ACLPolicyDeleteRequestType                  = 20
	ConnectCALeafRequestType                    = 21
	ConfigEntryRequestType                      = 22
	ACLRoleSetRequestType                       = 23
	ACLRoleDeleteRequestType                    = 24
	ACLBindingRuleSetRequestType                = 25
	ACLBindingRuleDeleteRequestType             = 26
	ACLAuthMethodSetRequestType                 = 27
	ACLAuthMethodDeleteRequestType              = 28
	ChunkingStateType                           = 29
	FederationStateRequestType                  = 30
	SystemMetadataRequestType                   = 31
)

These are serialized between Consul servers and stored in Consul snapshots, so entries must only ever be added.

View Source
const (
	// IgnoreUnknownTypeFlag is set along with a MessageType
	// to indicate that the message type can be safely ignored
	// if it is not recognized. This is for future proofing, so
	// that new commands can be added in a way that won't cause
	// old servers to crash when the FSM attempts to process them.
	IgnoreUnknownTypeFlag MessageType = 128

	// NodeMaint is the special key set by a node in maintenance mode.
	NodeMaint = "_node_maintenance"

	// ServiceMaintPrefix is the prefix for a service in maintenance mode.
	ServiceMaintPrefix = "_service_maintenance:"

	// MetaSegmentKey is the node metadata key used to store the node's network segment
	MetaSegmentKey = "consul-network-segment"

	// MetaWANFederationKey is the mesh gateway metadata key that indicates a
	// mesh gateway is usable for wan federation.
	MetaWANFederationKey = "consul-wan-federation"

	// MetaExternalSource is the metadata key used when a resource is managed by a source outside Consul like nomad/k8s
	MetaExternalSource = "external-source"

	// MaxLockDelay provides a maximum LockDelay value for
	// a session. Any value above this will not be respected.
	MaxLockDelay = 60 * time.Second

	// WildcardSpecifier is the string which should be used for specifying a wildcard
	// The exact semantics of the wildcard is left up to the code where its used.
	WildcardSpecifier = "*"
)
View Source
const (
	TaggedAddressWAN     = "wan"
	TaggedAddressWANIPv4 = "wan_ipv4"
	TaggedAddressWANIPv6 = "wan_ipv6"
	TaggedAddressLAN     = "lan"
	TaggedAddressLANIPv4 = "lan_ipv4"
	TaggedAddressLANIPv6 = "lan_ipv6"
)
View Source
const (
	SessionTTLMax        = 24 * time.Hour
	SessionTTLMultiplier = 2
)
View Source
const (
	KeyringList    KeyringOp = "list"
	KeyringInstall           = "install"
	KeyringUse               = "use"
	KeyringRemove            = "remove"
)
View Source
const (
	SystemMetadataIntentionFormatKey         = "intention-format"
	SystemMetadataIntentionFormatConfigValue = "config-entry"
	SystemMetadataIntentionFormatLegacyValue = "legacy"
)
View Source
const (
	EnterpriseACLPolicyGlobalManagement = ""
)
View Source
const (
	// IntentionDefaultNamespace is the default namespace value.
	// NOTE(mitchellh): This is only meant to be a temporary constant.
	// When namespaces are introduced, we should delete this constant and
	// fix up all the places where this was used with the proper namespace
	// value.
	IntentionDefaultNamespace = "default"
)
View Source
const (
	// QueryTemplateTypeNamePrefixMatch uses the Name field of the query as
	// a prefix to select the template.
	QueryTemplateTypeNamePrefixMatch = "name_prefix_match"
)

Variables

View Source
var (
	ConsulCompoundServiceID = NewServiceID(ConsulServiceID, nil)
	SerfCompoundCheckID     = NewCheckID(SerfCheckID, nil)
)
View Source
var (
	ErrNoLeader                   = errors.New(errNoLeader)
	ErrNoDCPath                   = errors.New(errNoDCPath)
	ErrNoServers                  = errors.New(errNoServers)
	ErrNotReadyForConsistentReads = errors.New(errNotReadyForConsistentReads)
	ErrSegmentsNotSupported       = errors.New(errSegmentsNotSupported)
	ErrRPCRateExceeded            = errors.New(errRPCRateExceeded)
	ErrDCNotAvailable             = errors.New(errDCNotAvailable)
	ErrQueryNotFound              = errors.New(errQueryNotFound)
	ErrLeaderNotTracked           = errors.New(errLeaderNotTracked)
)
View Source
var ACLBootstrapInvalidResetIndexErr = errors.New("Invalid ACL bootstrap reset index")

ACLBootstrapInvalidResetIndexErr is returned when bootstrap is requested with a non-zero reset index but the index doesn't match the bootstrap index

View Source
var ACLBootstrapNotAllowedErr = errors.New("ACL bootstrap no longer allowed")

ACLBootstrapNotAllowedErr is returned once we know that a bootstrap can no longer be done since the cluster was bootstrapped

View Source
var ACLBootstrapNotInitializedErr = errors.New("ACL bootstrap not initialized, need to force a leader election and ensure all Consul servers support this feature")

ACLBootstrapNotInitializedErr is returned when a bootstrap is attempted but we haven't yet initialized ACL bootstrap. It provides some guidance to operators on how to proceed.

View Source
var IntermediateCertRenewInterval = time.Hour

intermediateCertRenewInterval is the interval at which the expiration of the intermediate cert is checked and renewed if necessary.

View Source
var MaxLeafCertTTL = 365 * 24 * time.Hour
View Source
var MinLeafCertTTL = time.Hour
View Source
var MsgpackHandle = &codec.MsgpackHandle{
	RawToString: true,
	BasicHandle: codec.BasicHandle{
		DecodeOptions: codec.DecodeOptions{
			MapType: reflect.TypeOf(map[string]interface{}{}),
		},
	},
}

MsgpackHandle is a shared handle for encoding/decoding msgpack payloads

View Source
var (
	NodeMaintCheckID = NewCheckID(NodeMaint, nil)
)
View Source
var TestingOldPre1dot7MsgpackHandle = &codec.MsgpackHandle{}

TestingOldPre1dot7MsgpackHandle is the common configuration pre-1.7.0

Functions

func ACLIDReserved added in v1.4.0

func ACLIDReserved(id string) bool

func CloneStringSlice added in v1.8.7

func CloneStringSlice(s []string) []string

func Decode

func Decode(buf []byte, out interface{}) error

Decode is used to decode a MsgPack encoded object

func DecodeProto added in v1.7.0

func DecodeProto(buf []byte, out ProtoMarshaller) error

func Encode

func Encode(t MessageType, msg interface{}) ([]byte, error)

Encode is used to encode a MsgPack object with type prefix

func EncodeProto added in v1.7.0

func EncodeProto(t MessageType, message ProtoMarshaller) ([]byte, error)

func EncodeProtoInterface added in v1.7.0

func EncodeProtoInterface(t MessageType, message interface{}) ([]byte, error)

func IsErrNoDCPath added in v1.8.1

func IsErrNoDCPath(err error) bool

func IsErrNoLeader added in v1.0.0

func IsErrNoLeader(err error) bool

func IsErrQueryNotFound added in v1.8.1

func IsErrQueryNotFound(err error) bool

func IsErrRPCRateExceeded added in v0.9.3

func IsErrRPCRateExceeded(err error) bool

func IsErrServiceNotFound added in v1.4.1

func IsErrServiceNotFound(err error) bool

func IsProtocolHTTPLike added in v1.9.0

func IsProtocolHTTPLike(protocol string) bool

func NormalizeServiceSplitWeight added in v1.6.0

func NormalizeServiceSplitWeight(weight float32) float32

func ParseDurationFunc added in v1.2.3

func ParseDurationFunc() mapstructure.DecodeHookFunc

ParseDurationFunc is a mapstructure hook for decoding a string or []uint8 into a time.Duration value.

func SanitizeLegacyACLToken added in v1.4.0

func SanitizeLegacyACLToken(token *ACLToken)

SanitizeLegacyACLToken does nothing in the OSS builds. It does not mutate the input argument at all.

In enterprise builds this hook is necessary to support fixing old multiline HCL strings in legacy token Sentinel policies into heredocs. If the token was updated and previously had a Hash set, this will also update it.

DEPRECATED (ACL-Legacy-Compat)

func SanitizeLegacyACLTokenRules added in v1.4.0

func SanitizeLegacyACLTokenRules(rules string) string

SanitizeLegacyACLTokenRules does nothing in the OSS builds. It always returns an empty string.

In enterprise builds this hook is necessary to support fixing any old multiline HCL strings in legacy token Sentinel policies into heredocs.

DEPRECATED (ACL-Legacy-Compat)

func SatisfiesMetaFilters

func SatisfiesMetaFilters(meta map[string]string, filters map[string]string) bool

SatisfiesMetaFilters returns true if the metadata map contains the given filters

func ServiceIDString added in v1.7.0

func ServiceIDString(id string, _ *EnterpriseMeta) string

func TestMsgpackEncodeDecode added in v1.7.0

func TestMsgpackEncodeDecode(t *testing.T, in interface{}, requireEncoderEquality bool)

TestMsgpackEncodeDecode is a test helper to easily write a test to verify msgpack encoding and decoding using two handles is identical.

func Uint8ToString added in v1.2.3

func Uint8ToString(bs []uint8) string

func UniqueID added in v1.9.0

func UniqueID(node string, compoundID string) string

UniqueID is a unique identifier for a service instance within a datacenter by encoding: node/namespace/service_id

Note: We do not have strict character restrictions in all node names, so this should NOT be split on / to retrieve components.

func ValidStatus

func ValidStatus(s string) bool

func ValidateNodeMetadata added in v1.8.0

func ValidateNodeMetadata(meta map[string]string, allowConsulPrefix bool) error

ValidateNodeMetadata validates a set of key/value pairs from the agent config for use on a Node.

func ValidateServiceMetadata added in v1.8.0

func ValidateServiceMetadata(kind ServiceKind, meta map[string]string, allowConsulPrefix bool) error

ValidateServiceMetadata validates a set of key/value pairs from the agent config for use on a Service. ValidateMeta validates a set of key/value pairs from the agent config

func ValidateWeights added in v1.2.3

func ValidateWeights(weights *Weights) error

ValidateWeights checks the definition of DNS weight is valid

Types

type ACL

type ACL struct {
	ID    string
	Name  string
	Type  string
	Rules string

	RaftIndex
}

ACL is used to represent a token and its rules

func (*ACL) Convert added in v1.4.0

func (a *ACL) Convert() *ACLToken

Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken equivalent. This will NOT fill in the other ACLToken fields or perform any other upgrade (other than correcting an older HCL syntax that is no longer supported).

func (*ACL) IsSame

func (a *ACL) IsSame(other *ACL) bool

IsSame checks if one ACL is the same as another, without looking at the Raft information (that's why we didn't call it IsEqual). This is useful for seeing if an update would be idempotent for all the functional parts of the structure.

type ACLAuthMethod added in v1.5.0

type ACLAuthMethod struct {
	// Name is a unique identifier for this specific auth method.
	//
	// Immutable once set and only settable during create.
	Name string

	// Type is the type of the auth method this is.
	//
	// Immutable once set and only settable during create.
	Type string

	// DisplayName is an optional name to use instead of the Name field when
	// displaying information about this auth method in any kind of user
	// interface.
	DisplayName string `json:",omitempty"`

	// Description is just an optional bunch of explanatory text.
	Description string `json:",omitempty"`

	// MaxTokenTTL this is the maximum life of a token created by this method.
	MaxTokenTTL time.Duration `json:",omitempty"`

	// TokenLocality defines the kind of token that this auth method produces.
	// This can be either 'local' or 'global'. If empty 'local' is assumed.
	TokenLocality string `json:",omitempty"`

	// Configuration is arbitrary configuration for the auth method. This
	// should only contain primitive values and containers (such as lists and
	// maps).
	Config map[string]interface{}

	// Embedded Enterprise ACL Meta
	EnterpriseMeta `mapstructure:",squash"`

	ACLAuthMethodEnterpriseFields `mapstructure:",squash"`

	// Embedded Raft Metadata
	RaftIndex `hash:"ignore"`
}

func (*ACLAuthMethod) MarshalJSON added in v1.8.0

func (m *ACLAuthMethod) MarshalJSON() ([]byte, error)

func (*ACLAuthMethod) Stub added in v1.5.0

func (*ACLAuthMethod) TargetEnterpriseMeta added in v1.7.0

func (m *ACLAuthMethod) TargetEnterpriseMeta(_ *EnterpriseMeta) *EnterpriseMeta

func (*ACLAuthMethod) UnmarshalJSON added in v1.8.0

func (m *ACLAuthMethod) UnmarshalJSON(data []byte) (err error)

type ACLAuthMethodBatchDeleteRequest added in v1.5.0

type ACLAuthMethodBatchDeleteRequest struct {
	AuthMethodNames []string
	// While it may seem odd that AuthMethodNames is associated with a single
	// EnterpriseMeta, it is okay as this struct is only ever used to
	// delete a single entry. This is because AuthMethods unlike tokens, policies
	// and roles are not replicated between datacenters and therefore never
	// batch applied.
	EnterpriseMeta
}

ACLAuthMethodBatchDeleteRequest is used at the Raft layer for batching multiple auth method deletions

type ACLAuthMethodBatchSetRequest added in v1.5.0

type ACLAuthMethodBatchSetRequest struct {
	AuthMethods ACLAuthMethods
}

ACLAuthMethodBatchSetRequest is used at the Raft layer for batching multiple auth method creations and updates

type ACLAuthMethodDeleteRequest added in v1.5.0

type ACLAuthMethodDeleteRequest struct {
	AuthMethodName string // name of the auth method to delete
	Datacenter     string // The datacenter to perform the request within
	EnterpriseMeta
	WriteRequest
}

ACLAuthMethodDeleteRequest is used at the RPC layer deletion requests

func (*ACLAuthMethodDeleteRequest) RequestDatacenter added in v1.5.0

func (r *ACLAuthMethodDeleteRequest) RequestDatacenter() string

type ACLAuthMethodEnterpriseFields added in v1.8.0

type ACLAuthMethodEnterpriseFields struct{}

type ACLAuthMethodEnterpriseMeta added in v1.7.0

type ACLAuthMethodEnterpriseMeta struct{}

func (*ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta added in v1.7.0

func (_ *ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ *EnterpriseMeta)

func (*ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta added in v1.7.0

func (_ *ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() *EnterpriseMeta

type ACLAuthMethodGetRequest added in v1.5.0

type ACLAuthMethodGetRequest struct {
	AuthMethodName string // name used for the auth method lookup
	Datacenter     string // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLAuthMethodGetRequest is used at the RPC layer to perform rule read operations

func (*ACLAuthMethodGetRequest) RequestDatacenter added in v1.5.0

func (r *ACLAuthMethodGetRequest) RequestDatacenter() string

type ACLAuthMethodListRequest added in v1.5.0

type ACLAuthMethodListRequest struct {
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLAuthMethodListRequest is used at the RPC layer to request a listing of auth methods

func (*ACLAuthMethodListRequest) RequestDatacenter added in v1.5.0

func (r *ACLAuthMethodListRequest) RequestDatacenter() string

type ACLAuthMethodListResponse added in v1.5.0

type ACLAuthMethodListResponse struct {
	AuthMethods ACLAuthMethodListStubs
	QueryMeta
}

type ACLAuthMethodListStub added in v1.5.0

type ACLAuthMethodListStub struct {
	Name          string
	Type          string
	DisplayName   string        `json:",omitempty"`
	Description   string        `json:",omitempty"`
	MaxTokenTTL   time.Duration `json:",omitempty"`
	TokenLocality string        `json:",omitempty"`
	CreateIndex   uint64
	ModifyIndex   uint64
	EnterpriseMeta
}

Note: this is a subset of ACLAuthMethod's fields

func (*ACLAuthMethodListStub) MarshalJSON added in v1.10.0

func (m *ACLAuthMethodListStub) MarshalJSON() ([]byte, error)

This is nearly identical to the ACLAuthMethod MarshalJSON Unmarshaling is not implemented because the API is read only

type ACLAuthMethodListStubs added in v1.5.0

type ACLAuthMethodListStubs []*ACLAuthMethodListStub

func (ACLAuthMethodListStubs) Sort added in v1.5.0

func (methods ACLAuthMethodListStubs) Sort()

type ACLAuthMethodResponse added in v1.5.0

type ACLAuthMethodResponse struct {
	AuthMethod *ACLAuthMethod
	QueryMeta
}

ACLAuthMethodResponse returns a single auth method + metadata

type ACLAuthMethodSetRequest added in v1.5.0

type ACLAuthMethodSetRequest struct {
	AuthMethod ACLAuthMethod // The auth method to upsert
	Datacenter string        // The datacenter to perform the request within
	WriteRequest
}

ACLAuthMethodSetRequest is used at the RPC layer for creation and update requests

func (*ACLAuthMethodSetRequest) RequestDatacenter added in v1.5.0

func (r *ACLAuthMethodSetRequest) RequestDatacenter() string

type ACLAuthMethods added in v1.5.0

type ACLAuthMethods []*ACLAuthMethod

func (ACLAuthMethods) Sort added in v1.5.0

func (methods ACLAuthMethods) Sort()

type ACLAuthorizationRequest added in v1.7.0

type ACLAuthorizationRequest struct {
	Resource acl.Resource
	Segment  string `json:",omitempty"`
	Access   string
	EnterpriseMeta
}

type ACLAuthorizationResponse added in v1.7.0

type ACLAuthorizationResponse struct {
	ACLAuthorizationRequest
	Allow bool
}

func CreateACLAuthorizationResponses added in v1.7.0

func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthorizationRequest) ([]ACLAuthorizationResponse, error)

type ACLBindingRule added in v1.5.0

type ACLBindingRule struct {
	// ID is the internal UUID associated with the binding rule
	ID string

	// Description is a human readable description (Optional)
	Description string

	// AuthMethod is the name of the auth method for which this rule applies.
	AuthMethod string

	// Selector is an expression that matches against verified identity
	// attributes returned from the auth method during login.
	Selector string

	// BindType adjusts how this binding rule is applied at login time.  The
	// valid values are:
	//
	//  - BindingRuleBindTypeService = "service"
	//  - BindingRuleBindTypeRole    = "role"
	BindType string

	// BindName is the target of the binding. Can be lightly templated using
	// HIL ${foo} syntax from available field names. How it is used depends
	// upon the BindType.
	BindName string

	// Embedded Enterprise ACL metadata
	EnterpriseMeta `mapstructure:",squash"`

	// Embedded Raft Metadata
	RaftIndex `hash:"ignore"`
}

func (*ACLBindingRule) Clone added in v1.5.0

func (r *ACLBindingRule) Clone() *ACLBindingRule

type ACLBindingRuleBatchDeleteRequest added in v1.5.0

type ACLBindingRuleBatchDeleteRequest struct {
	BindingRuleIDs []string
}

ACLBindingRuleBatchDeleteRequest is used at the Raft layer for batching multiple rule deletions

type ACLBindingRuleBatchSetRequest added in v1.5.0

type ACLBindingRuleBatchSetRequest struct {
	BindingRules ACLBindingRules
}

ACLBindingRuleBatchSetRequest is used at the Raft layer for batching multiple rule creations and updates

type ACLBindingRuleDeleteRequest added in v1.5.0

type ACLBindingRuleDeleteRequest struct {
	BindingRuleID string // id of the rule to delete
	Datacenter    string // The datacenter to perform the request within
	EnterpriseMeta
	WriteRequest
}

ACLBindingRuleDeleteRequest is used at the RPC layer deletion requests

func (*ACLBindingRuleDeleteRequest) RequestDatacenter added in v1.5.0

func (r *ACLBindingRuleDeleteRequest) RequestDatacenter() string

type ACLBindingRuleGetRequest added in v1.5.0

type ACLBindingRuleGetRequest struct {
	BindingRuleID string // id used for the rule lookup
	Datacenter    string // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLBindingRuleGetRequest is used at the RPC layer to perform rule read operations

func (*ACLBindingRuleGetRequest) RequestDatacenter added in v1.5.0

func (r *ACLBindingRuleGetRequest) RequestDatacenter() string

type ACLBindingRuleListRequest added in v1.5.0

type ACLBindingRuleListRequest struct {
	AuthMethod string // optional filter
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLBindingRuleListRequest is used at the RPC layer to request a listing of rules

func (*ACLBindingRuleListRequest) RequestDatacenter added in v1.5.0

func (r *ACLBindingRuleListRequest) RequestDatacenter() string

type ACLBindingRuleListResponse added in v1.5.0

type ACLBindingRuleListResponse struct {
	BindingRules ACLBindingRules
	QueryMeta
}

type ACLBindingRuleResponse added in v1.5.0

type ACLBindingRuleResponse struct {
	BindingRule *ACLBindingRule
	QueryMeta
}

ACLBindingRuleResponse returns a single binding + metadata

type ACLBindingRuleSetRequest added in v1.5.0

type ACLBindingRuleSetRequest struct {
	BindingRule ACLBindingRule // The rule to upsert
	Datacenter  string         // The datacenter to perform the request within
	WriteRequest
}

ACLBindingRuleSetRequest is used at the RPC layer for creation and update requests

func (*ACLBindingRuleSetRequest) RequestDatacenter added in v1.5.0

func (r *ACLBindingRuleSetRequest) RequestDatacenter() string

type ACLBindingRules added in v1.5.0

type ACLBindingRules []*ACLBindingRule

func (ACLBindingRules) Sort added in v1.5.0

func (rules ACLBindingRules) Sort()

type ACLBootstrap

type ACLBootstrap struct {
	// AllowBootstrap will only be true if no existing management tokens
	// have been found.
	AllowBootstrap bool

	RaftIndex
}

ACLBootstrap keeps track of whether bootstrapping ACLs is allowed for a cluster.

type ACLCaches added in v1.4.0

type ACLCaches struct {
	// contains filtered or unexported fields
}

func NewACLCaches added in v1.4.0

func NewACLCaches(config *ACLCachesConfig) (*ACLCaches, error)

func (*ACLCaches) GetAuthorizer added in v1.4.0

func (c *ACLCaches) GetAuthorizer(id string) *AuthorizerCacheEntry

GetAuthorizer fetches a acl from the cache and returns it

func (*ACLCaches) GetIdentity added in v1.4.0

func (c *ACLCaches) GetIdentity(id string) *IdentityCacheEntry

GetIdentity fetches an identity from the cache and returns it

func (*ACLCaches) GetParsedPolicy added in v1.4.0

func (c *ACLCaches) GetParsedPolicy(id string) *ParsedPolicyCacheEntry

GetPolicy fetches a policy from the cache and returns it

func (*ACLCaches) GetPolicy added in v1.4.0

func (c *ACLCaches) GetPolicy(policyID string) *PolicyCacheEntry

GetPolicy fetches a policy from the cache and returns it

func (*ACLCaches) GetRole added in v1.5.0

func (c *ACLCaches) GetRole(roleID string) *RoleCacheEntry

GetRole fetches a role from the cache by id and returns it

func (*ACLCaches) Purge added in v1.4.0

func (c *ACLCaches) Purge()

func (*ACLCaches) PutAuthorizer added in v1.4.0

func (c *ACLCaches) PutAuthorizer(id string, authorizer acl.Authorizer)

func (*ACLCaches) PutAuthorizerWithTTL added in v1.4.0

func (c *ACLCaches) PutAuthorizerWithTTL(id string, authorizer acl.Authorizer, ttl time.Duration)

func (*ACLCaches) PutIdentity added in v1.4.0

func (c *ACLCaches) PutIdentity(id string, ident ACLIdentity)

PutIdentity adds a new identity to the cache

func (*ACLCaches) PutParsedPolicy added in v1.4.0

func (c *ACLCaches) PutParsedPolicy(id string, policy *acl.Policy)

func (*ACLCaches) PutPolicy added in v1.4.0

func (c *ACLCaches) PutPolicy(policyId string, policy *ACLPolicy)

func (*ACLCaches) PutRole added in v1.5.0

func (c *ACLCaches) PutRole(roleID string, role *ACLRole)

func (*ACLCaches) RemoveIdentity added in v1.4.0

func (c *ACLCaches) RemoveIdentity(id string)

func (*ACLCaches) RemovePolicy added in v1.4.0

func (c *ACLCaches) RemovePolicy(policyID string)

func (*ACLCaches) RemoveRole added in v1.5.0

func (c *ACLCaches) RemoveRole(roleID string)

type ACLCachesConfig added in v1.4.0

type ACLCachesConfig struct {
	Identities     int
	Policies       int
	ParsedPolicies int
	Authorizers    int
	Roles          int
}

type ACLIdentity added in v1.4.0

type ACLIdentity interface {
	// ID returns a string that can be used for logging and telemetry. This should not
	// contain any secret data used for authentication
	ID() string
	SecretToken() string
	PolicyIDs() []string
	RoleIDs() []string
	EmbeddedPolicy() *ACLPolicy
	ServiceIdentityList() []*ACLServiceIdentity
	NodeIdentityList() []*ACLNodeIdentity
	IsExpired(asOf time.Time) bool
	IsLocal() bool
	EnterpriseMetadata() *EnterpriseMeta
}

type ACLLoginParams added in v1.5.0

type ACLLoginParams struct {
	AuthMethod  string
	BearerToken string
	Meta        map[string]string `json:",omitempty"`
	EnterpriseMeta
}

type ACLLoginRequest added in v1.5.0

type ACLLoginRequest struct {
	Auth       *ACLLoginParams
	Datacenter string // The datacenter to perform the request within
	WriteRequest
}

func (*ACLLoginRequest) RequestDatacenter added in v1.5.0

func (r *ACLLoginRequest) RequestDatacenter() string

type ACLLogoutRequest added in v1.5.0

type ACLLogoutRequest struct {
	Datacenter string // The datacenter to perform the request within
	WriteRequest
}

func (*ACLLogoutRequest) RequestDatacenter added in v1.5.0

func (r *ACLLogoutRequest) RequestDatacenter() string

type ACLMode added in v1.4.0

type ACLMode string
const (
	// ACLs are disabled by configuration
	ACLModeDisabled ACLMode = "0"
	// ACLs are enabled
	ACLModeEnabled ACLMode = "1"
	// DEPRECATED (ACL-Legacy-Compat) - only needed while legacy ACLs are supported
	// ACLs are enabled and using legacy ACLs
	ACLModeLegacy ACLMode = "2"
	// DEPRECATED (ACL-Legacy-Compat) - only needed while legacy ACLs are supported
	// ACLs are assumed enabled but not being advertised
	ACLModeUnknown ACLMode = "3"
)

type ACLNodeIdentity added in v1.8.1

type ACLNodeIdentity struct {
	// NodeName identities the Node that this identity authorizes access to
	NodeName string

	// Datacenter is required and specifies the datacenter of the node.
	Datacenter string
}

ACLNodeIdentity represents a high-level grant of all privileges necessary to assume the identity of that node and manage it.

func (*ACLNodeIdentity) AddToHash added in v1.8.1

func (s *ACLNodeIdentity) AddToHash(h hash.Hash)

func (*ACLNodeIdentity) Clone added in v1.8.1

func (s *ACLNodeIdentity) Clone() *ACLNodeIdentity

func (*ACLNodeIdentity) EstimateSize added in v1.8.1

func (s *ACLNodeIdentity) EstimateSize() int

func (*ACLNodeIdentity) SyntheticPolicy added in v1.8.1

func (s *ACLNodeIdentity) SyntheticPolicy() *ACLPolicy

type ACLOp

type ACLOp string

ACLOp is used in RPCs to encode ACL operations.

const (
	// ACLSet creates or updates a token.
	ACLSet ACLOp = "set"

	// ACLDelete deletes a token.
	ACLDelete ACLOp = "delete"
)
const (
	// ACLBootstrapInit is used to perform a scan for existing tokens which
	// will decide whether bootstrapping is allowed for a cluster. This is
	// initiated by the leader when it steps up, if necessary.
	ACLBootstrapInit ACLOp = "bootstrap-init"

	// ACLBootstrapNow is used to perform a one-time ACL bootstrap operation on
	// a cluster to get the first management token.
	ACLBootstrapNow ACLOp = "bootstrap-now"

	// ACLForceSet is deprecated, but left for backwards compatibility.
	ACLForceSet ACLOp = "force-set"
)

type ACLPolicies added in v1.4.0

type ACLPolicies []*ACLPolicy

func (ACLPolicies) Compile added in v1.4.0

func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.Config) (acl.Authorizer, error)

func (ACLPolicies) HashKey added in v1.4.0

func (policies ACLPolicies) HashKey() string

HashKey returns a consistent hash for a set of policies.

func (ACLPolicies) Merge added in v1.4.0

func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.Config) (*acl.Policy, error)

func (ACLPolicies) Sort added in v1.4.0

func (policies ACLPolicies) Sort()

type ACLPolicy

type ACLPolicy struct {
	// This is the internal UUID associated with the policy
	ID string

	// Unique name to reference the policy by.
	//   - Valid Characters: [a-zA-Z0-9-]
	//   - Valid Lengths: 1 - 128
	Name string

	// Human readable description (Optional)
	Description string

	// The rule set (using the updated rule syntax)
	Rules string

	// DEPRECATED (ACL-Legacy-Compat) - This is only needed while we support the legacy ACLs
	Syntax acl.SyntaxVersion `json:"-"`

	// Datacenters that the policy is valid within.
	//   - No wildcards allowed
	//   - If empty then the policy is valid within all datacenters
	Datacenters []string `json:",omitempty"`

	// Hash of the contents of the policy
	// This does not take into account the ID (which is immutable)
	// nor the raft metadata.
	//
	// This is needed mainly for replication purposes. When replicating from
	// one DC to another keeping the content Hash will allow us to avoid
	// unnecessary calls to the authoritative DC
	Hash []byte

	// Embedded Enterprise ACL Metadata
	EnterpriseMeta `mapstructure:",squash"`

	// Embedded Raft Metadata
	RaftIndex `hash:"ignore"`
}

func (*ACLPolicy) Clone added in v1.4.3

func (p *ACLPolicy) Clone() *ACLPolicy

func (*ACLPolicy) EnterprisePolicyMeta added in v1.7.0

func (p *ACLPolicy) EnterprisePolicyMeta() *acl.EnterprisePolicyMeta

func (*ACLPolicy) EstimateSize added in v1.4.0

func (p *ACLPolicy) EstimateSize() int

func (*ACLPolicy) SetHash added in v1.4.0

func (p *ACLPolicy) SetHash(force bool) []byte

func (*ACLPolicy) Stub added in v1.4.0

func (p *ACLPolicy) Stub() *ACLPolicyListStub

func (*ACLPolicy) UnmarshalJSON added in v1.6.2

func (t *ACLPolicy) UnmarshalJSON(data []byte) error

type ACLPolicyBatchDeleteRequest added in v1.4.0

type ACLPolicyBatchDeleteRequest struct {
	PolicyIDs []string
}

ACLPolicyBatchDeleteRequest is used at the Raft layer for batching multiple policy deletions

This is particularly useful during replication

type ACLPolicyBatchGetRequest added in v1.4.0

type ACLPolicyBatchGetRequest struct {
	PolicyIDs  []string // List of policy ids to fetch
	Datacenter string   // The datacenter to perform the request within
	QueryOptions
}

ACLPolicyBatchGetRequest is used at the RPC layer to request a subset of the policies associated with the token used for retrieval

func (*ACLPolicyBatchGetRequest) RequestDatacenter added in v1.4.0

func (r *ACLPolicyBatchGetRequest) RequestDatacenter() string

type ACLPolicyBatchResponse added in v1.4.0

type ACLPolicyBatchResponse struct {
	Policies []*ACLPolicy
	QueryMeta
}

type ACLPolicyBatchSetRequest added in v1.4.0

type ACLPolicyBatchSetRequest struct {
	Policies ACLPolicies
}

ACLPolicyBatchSetRequest is used at the Raft layer for batching multiple policy creations and updates

This is particularly useful during replication

type ACLPolicyDeleteRequest added in v1.4.0

type ACLPolicyDeleteRequest struct {
	PolicyID   string // The id of the policy to delete
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	WriteRequest
}

ACLPolicyDeleteRequest is used at the RPC layer deletion requests

func (*ACLPolicyDeleteRequest) RequestDatacenter added in v1.4.0

func (r *ACLPolicyDeleteRequest) RequestDatacenter() string

type ACLPolicyGetRequest added in v1.4.0

type ACLPolicyGetRequest struct {
	PolicyID   string // id used for the policy lookup (one of PolicyID or PolicyName is allowed)
	PolicyName string // name used for the policy lookup (one of PolicyID or PolicyName is allowed)
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLPolicyGetRequest is used at the RPC layer to perform policy read operations

func (*ACLPolicyGetRequest) RequestDatacenter added in v1.4.0

func (r *ACLPolicyGetRequest) RequestDatacenter() string

type ACLPolicyIDType added in v1.4.0

type ACLPolicyIDType string
const (
	ACLPolicyName ACLPolicyIDType = "name"
	ACLPolicyID   ACLPolicyIDType = "id"
)

type ACLPolicyListRequest added in v1.4.0

type ACLPolicyListRequest struct {
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLPolicyListRequest is used at the RPC layer to request a listing of policies

func (*ACLPolicyListRequest) RequestDatacenter added in v1.4.0

func (r *ACLPolicyListRequest) RequestDatacenter() string

type ACLPolicyListResponse added in v1.4.0

type ACLPolicyListResponse struct {
	Policies ACLPolicyListStubs
	QueryMeta
}

type ACLPolicyListStub added in v1.4.0

type ACLPolicyListStub struct {
	ID          string
	Name        string
	Description string
	Datacenters []string
	Hash        []byte
	CreateIndex uint64
	ModifyIndex uint64
	EnterpriseMeta
}

type ACLPolicyListStubs added in v1.4.0

type ACLPolicyListStubs []*ACLPolicyListStub

func (ACLPolicyListStubs) Sort added in v1.4.0

func (policies ACLPolicyListStubs) Sort()

type ACLPolicyResolveLegacyRequest added in v1.4.0

type ACLPolicyResolveLegacyRequest struct {
	Datacenter string // The Datacenter the RPC may be sent to
	ACL        string // The Tokens Secret ID
	ETag       string // Caching ETag to prevent resending the policy when not needed
	QueryOptions
}

ACLPolicyResolveLegacyRequest is used to request an ACL by Token SecretID, conditionally filtering on an ID

func (*ACLPolicyResolveLegacyRequest) RequestDatacenter added in v1.4.0

func (r *ACLPolicyResolveLegacyRequest) RequestDatacenter() string

RequestDatacenter returns the DC this request is targeted to.

type ACLPolicyResolveLegacyResponse added in v1.4.0

type ACLPolicyResolveLegacyResponse struct {
	ETag   string
	Parent string
	Policy *acl.Policy
	TTL    time.Duration
	QueryMeta
}

type ACLPolicyResponse added in v1.4.0

type ACLPolicyResponse struct {
	Policy *ACLPolicy
	QueryMeta
}

ACLPolicyResponse returns a single policy + metadata

type ACLPolicySetRequest added in v1.4.0

type ACLPolicySetRequest struct {
	Policy     ACLPolicy // The policy to upsert
	Datacenter string    // The datacenter to perform the request within
	WriteRequest
}

ACLPolicySetRequest is used at the RPC layer for creation and update requests

func (*ACLPolicySetRequest) RequestDatacenter added in v1.4.0

func (r *ACLPolicySetRequest) RequestDatacenter() string

type ACLReplicationStatus

type ACLReplicationStatus struct {
	Enabled              bool
	Running              bool
	SourceDatacenter     string
	ReplicationType      ACLReplicationType
	ReplicatedIndex      uint64
	ReplicatedRoleIndex  uint64
	ReplicatedTokenIndex uint64
	LastSuccess          time.Time
	LastError            time.Time
}

ACLReplicationStatus provides information about the health of the ACL replication system.

type ACLReplicationType added in v1.4.0

type ACLReplicationType string
const (
	ACLReplicateLegacy   ACLReplicationType = "legacy"
	ACLReplicatePolicies ACLReplicationType = "policies"
	ACLReplicateRoles    ACLReplicationType = "roles"
	ACLReplicateTokens   ACLReplicationType = "tokens"
)

func (ACLReplicationType) SingularNoun added in v1.5.0

func (t ACLReplicationType) SingularNoun() string

type ACLRequest

type ACLRequest struct {
	Datacenter string
	Op         ACLOp
	ACL        ACL
	WriteRequest
}

ACLRequest is used to create, update or delete an ACL

func (*ACLRequest) RequestDatacenter

func (r *ACLRequest) RequestDatacenter() string

type ACLRequests

type ACLRequests []*ACLRequest

ACLRequests is a list of ACL change requests.

type ACLRole added in v1.5.0

type ACLRole struct {
	// ID is the internal UUID associated with the role
	ID string

	// Name is the unique name to reference the role by.
	Name string

	// Description is a human readable description (Optional)
	Description string

	// List of policy links.
	// Note this is the list of IDs and not the names. Prior to role creation
	// the list of policy names gets validated and the policy IDs get stored herein
	Policies []ACLRolePolicyLink `json:",omitempty"`

	// List of services to generate synthetic policies for.
	ServiceIdentities []*ACLServiceIdentity `json:",omitempty"`

	// List of nodes to generate synthetic policies for.
	NodeIdentities []*ACLNodeIdentity `json:",omitempty"`

	// Hash of the contents of the role
	// This does not take into account the ID (which is immutable)
	// nor the raft metadata.
	//
	// This is needed mainly for replication purposes. When replicating from
	// one DC to another keeping the content Hash will allow us to avoid
	// unnecessary calls to the authoritative DC
	Hash []byte

	// Embedded Enterprise ACL metadata
	EnterpriseMeta `mapstructure:",squash"`

	// Embedded Raft Metadata
	RaftIndex `hash:"ignore"`
}

func (*ACLRole) Clone added in v1.5.0

func (r *ACLRole) Clone() *ACLRole

func (*ACLRole) EstimateSize added in v1.5.0

func (r *ACLRole) EstimateSize() int

func (*ACLRole) NodeIdentityList added in v1.8.1

func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity

func (*ACLRole) SetHash added in v1.5.0

func (r *ACLRole) SetHash(force bool) []byte

func (*ACLRole) UnmarshalJSON added in v1.6.2

func (t *ACLRole) UnmarshalJSON(data []byte) error

type ACLRoleBatchDeleteRequest added in v1.5.0

type ACLRoleBatchDeleteRequest struct {
	RoleIDs []string
}

ACLRoleBatchDeleteRequest is used at the Raft layer for batching multiple role deletions

This is particularly useful during replication

type ACLRoleBatchGetRequest added in v1.5.0

type ACLRoleBatchGetRequest struct {
	RoleIDs    []string // List of role ids to fetch
	Datacenter string   // The datacenter to perform the request within
	QueryOptions
}

ACLRoleBatchGetRequest is used at the RPC layer to request a subset of the roles associated with the token used for retrieval

func (*ACLRoleBatchGetRequest) RequestDatacenter added in v1.5.0

func (r *ACLRoleBatchGetRequest) RequestDatacenter() string

type ACLRoleBatchResponse added in v1.5.0

type ACLRoleBatchResponse struct {
	Roles []*ACLRole
	QueryMeta
}

type ACLRoleBatchSetRequest added in v1.5.0

type ACLRoleBatchSetRequest struct {
	Roles             ACLRoles
	AllowMissingLinks bool
}

ACLRoleBatchSetRequest is used at the Raft layer for batching multiple role creations and updates

This is particularly useful during replication

type ACLRoleDeleteRequest added in v1.5.0

type ACLRoleDeleteRequest struct {
	RoleID     string // id of the role to delete
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	WriteRequest
}

ACLRoleDeleteRequest is used at the RPC layer deletion requests

func (*ACLRoleDeleteRequest) RequestDatacenter added in v1.5.0

func (r *ACLRoleDeleteRequest) RequestDatacenter() string

type ACLRoleGetRequest added in v1.5.0

type ACLRoleGetRequest struct {
	RoleID     string // id used for the role lookup (one of RoleID or RoleName is allowed)
	RoleName   string // name used for the role lookup (one of RoleID or RoleName is allowed)
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLRoleGetRequest is used at the RPC layer to perform role read operations

func (*ACLRoleGetRequest) RequestDatacenter added in v1.5.0

func (r *ACLRoleGetRequest) RequestDatacenter() string

type ACLRoleListRequest added in v1.5.0

type ACLRoleListRequest struct {
	Policy     string // Policy filter
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLRoleListRequest is used at the RPC layer to request a listing of roles

func (*ACLRoleListRequest) RequestDatacenter added in v1.5.0

func (r *ACLRoleListRequest) RequestDatacenter() string

type ACLRoleListResponse added in v1.5.0

type ACLRoleListResponse struct {
	Roles ACLRoles
	QueryMeta
}
type ACLRolePolicyLink struct {
	ID   string
	Name string `hash:"ignore"`
}

type ACLRoleResponse added in v1.5.0

type ACLRoleResponse struct {
	Role *ACLRole
	QueryMeta
}

ACLRoleResponse returns a single role + metadata

type ACLRoleSetRequest added in v1.5.0

type ACLRoleSetRequest struct {
	Role       ACLRole // The role to upsert
	Datacenter string  // The datacenter to perform the request within
	WriteRequest
}

ACLRoleSetRequest is used at the RPC layer for creation and update requests

func (*ACLRoleSetRequest) RequestDatacenter added in v1.5.0

func (r *ACLRoleSetRequest) RequestDatacenter() string

type ACLRoles added in v1.5.0

type ACLRoles []*ACLRole

func (ACLRoles) HashKey added in v1.5.0

func (roles ACLRoles) HashKey() string

HashKey returns a consistent hash for a set of roles.

func (ACLRoles) Sort added in v1.5.0

func (roles ACLRoles) Sort()

type ACLServiceIdentity added in v1.5.0

type ACLServiceIdentity struct {
	ServiceName string

	// Datacenters that the synthetic policy will be valid within.
	//   - No wildcards allowed
	//   - If empty then the synthetic policy is valid within all datacenters
	//
	// Only valid for global tokens. It is an error to specify this for local tokens.
	Datacenters []string `json:",omitempty"`
}

ACLServiceIdentity represents a high-level grant of all necessary privileges to assume the identity of the named Service in the Catalog and within Connect.

func (*ACLServiceIdentity) AddToHash added in v1.5.0

func (s *ACLServiceIdentity) AddToHash(h hash.Hash)

func (*ACLServiceIdentity) Clone added in v1.5.0

func (*ACLServiceIdentity) EstimateSize added in v1.5.0

func (s *ACLServiceIdentity) EstimateSize() int

func (*ACLServiceIdentity) SyntheticPolicy added in v1.5.0

func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *EnterpriseMeta) *ACLPolicy

type ACLSpecificRequest

type ACLSpecificRequest struct {
	Datacenter string
	ACL        string
	QueryOptions
}

ACLSpecificRequest is used to request an ACL by ID

func (*ACLSpecificRequest) RequestDatacenter

func (r *ACLSpecificRequest) RequestDatacenter() string

RequestDatacenter returns the DC this request is targeted to.

type ACLToken added in v1.4.0

type ACLToken struct {
	// This is the UUID used for tracking and management purposes
	AccessorID string

	// This is the UUID used as the api token by clients
	SecretID string

	// Human readable string to display for the token (Optional)
	Description string

	// List of policy links - nil/empty for legacy tokens or if service identities are in use.
	// Note this is the list of IDs and not the names. Prior to token creation
	// the list of policy names gets validated and the policy IDs get stored herein
	Policies []ACLTokenPolicyLink `json:",omitempty"`

	// List of role links. Note this is the list of IDs and not the names.
	// Prior to token creation the list of role names gets validated and the
	// role IDs get stored herein
	Roles []ACLTokenRoleLink `json:",omitempty"`

	// List of services to generate synthetic policies for.
	ServiceIdentities []*ACLServiceIdentity `json:",omitempty"`

	// The node identities that this token should be allowed to manage.
	NodeIdentities []*ACLNodeIdentity `json:",omitempty"`

	// Type is the V1 Token Type
	// DEPRECATED (ACL-Legacy-Compat) - remove once we no longer support v1 ACL compat
	// Even though we are going to auto upgrade management tokens we still
	// want to be able to have the old APIs operate on the upgraded management tokens
	// so this field is being kept to identify legacy tokens even after an auto-upgrade
	Type string `json:"-"`

	// Rules is the V1 acl rules associated with
	// DEPRECATED (ACL-Legacy-Compat) - remove once we no longer support v1 ACL compat
	Rules string `json:",omitempty"`

	// Whether this token is DC local. This means that it will not be synced
	// to the ACL datacenter and replicated to others.
	Local bool

	// AuthMethod is the name of the auth method used to create this token.
	AuthMethod string `json:",omitempty"`

	// ACLAuthMethodEnterpriseMeta is the EnterpriseMeta for the AuthMethod that this token was created from
	ACLAuthMethodEnterpriseMeta

	// ExpirationTime represents the point after which a token should be
	// considered revoked and is eligible for destruction. The zero value
	// represents NO expiration.
	//
	// This is a pointer value so that the zero value is omitted properly
	// during json serialization. time.Time does not respect json omitempty
	// directives unfortunately.
	ExpirationTime *time.Time `json:",omitempty"`

	// ExpirationTTL is a convenience field for helping set ExpirationTime to a
	// value of CreateTime+ExpirationTTL. This can only be set during
	// TokenCreate and is cleared and used to initialize the ExpirationTime
	// field before being persisted to the state store or raft log.
	//
	// This is a string version of a time.Duration like "2m".
	ExpirationTTL time.Duration `json:",omitempty"`

	// The time when this token was created
	CreateTime time.Time `json:",omitempty"`

	// Hash of the contents of the token
	//
	// This is needed mainly for replication purposes. When replicating from
	// one DC to another keeping the content Hash will allow us to avoid
	// unnecessary calls to the authoritative DC
	Hash []byte

	// Embedded Enterprise Metadata
	EnterpriseMeta `mapstructure:",squash"`

	// Embedded Raft Metadata
	RaftIndex
}

func (*ACLToken) Clone added in v1.4.3

func (t *ACLToken) Clone() *ACLToken

func (*ACLToken) Convert added in v1.4.0

func (tok *ACLToken) Convert() (*ACL, error)

Convert attempts to convert an ACLToken into an ACLCompat.

func (*ACLToken) EmbeddedPolicy added in v1.4.0

func (t *ACLToken) EmbeddedPolicy() *ACLPolicy

func (*ACLToken) EnterpriseMetadata added in v1.7.0

func (t *ACLToken) EnterpriseMetadata() *EnterpriseMeta

func (*ACLToken) EstimateSize added in v1.4.0

func (t *ACLToken) EstimateSize() int

func (*ACLToken) HasExpirationTime added in v1.5.0

func (t *ACLToken) HasExpirationTime() bool

func (*ACLToken) ID added in v1.4.0

func (t *ACLToken) ID() string

func (*ACLToken) IsExpired added in v1.5.0

func (t *ACLToken) IsExpired(asOf time.Time) bool

func (*ACLToken) IsLocal added in v1.8.0

func (t *ACLToken) IsLocal() bool

func (*ACLToken) NodeIdentityList added in v1.8.1

func (t *ACLToken) NodeIdentityList() []*ACLNodeIdentity

func (*ACLToken) PolicyIDs added in v1.4.0

func (t *ACLToken) PolicyIDs() []string

func (*ACLToken) RoleIDs added in v1.5.0

func (t *ACLToken) RoleIDs() []string

func (*ACLToken) SecretToken added in v1.4.0

func (t *ACLToken) SecretToken() string

func (*ACLToken) ServiceIdentityList added in v1.5.0

func (t *ACLToken) ServiceIdentityList() []*ACLServiceIdentity

func (*ACLToken) SetHash added in v1.4.0

func (t *ACLToken) SetHash(force bool) []byte

func (*ACLToken) Stub added in v1.4.0

func (token *ACLToken) Stub() *ACLTokenListStub

func (*ACLToken) UnmarshalJSON added in v1.6.2

func (t *ACLToken) UnmarshalJSON(data []byte) (err error)

func (*ACLToken) UsesNonLegacyFields added in v1.5.0

func (t *ACLToken) UsesNonLegacyFields() bool

type ACLTokenBatchDeleteRequest added in v1.4.0

type ACLTokenBatchDeleteRequest struct {
	TokenIDs []string // Tokens to delete
}

ACLTokenBatchDeleteRequest is used only at the Raft layer for batching multiple token deletions.

This is particularly useful during token replication when multiple tokens need to be removed from the local DCs state.

type ACLTokenBatchGetRequest added in v1.4.0

type ACLTokenBatchGetRequest struct {
	AccessorIDs []string // List of accessor ids to fetch
	Datacenter  string   // The datacenter to perform the request within
	QueryOptions
}

ACLTokenBatchGetRequest is used for reading multiple tokens, this is different from the the token list request in that only tokens with the the requested ids are returned

func (*ACLTokenBatchGetRequest) RequestDatacenter added in v1.4.0

func (r *ACLTokenBatchGetRequest) RequestDatacenter() string

type ACLTokenBatchResponse added in v1.4.0

type ACLTokenBatchResponse struct {
	Tokens   []*ACLToken
	Redacted bool // whether the token secrets were redacted.
	Removed  bool // whether any tokens were completely removed
	QueryMeta
}

ACLTokenBatchResponse returns multiple Tokens associated with the same metadata

type ACLTokenBatchSetRequest added in v1.4.0

type ACLTokenBatchSetRequest struct {
	Tokens               ACLTokens
	CAS                  bool
	AllowMissingLinks    bool
	ProhibitUnprivileged bool
	FromReplication      bool
}

ACLTokenBatchSetRequest is used only at the Raft layer for batching multiple token creation/update operations

This is particularly useful during token replication and during automatic legacy token upgrades.

type ACLTokenBootstrapRequest added in v1.4.0

type ACLTokenBootstrapRequest struct {
	Token      ACLToken // Token to use for bootstrapping
	ResetIndex uint64   // Reset index
}

ACLTokenBootstrapRequest is used only at the Raft layer for ACL bootstrapping

The RPC layer will use a generic DCSpecificRequest to indicate that bootstrapping must be performed but the actual token and the resetIndex will be generated by that RPC endpoint

type ACLTokenDeleteRequest added in v1.4.0

type ACLTokenDeleteRequest struct {
	TokenID    string // ID of the token to delete
	Datacenter string // The datacenter to perform the request within
	EnterpriseMeta
	WriteRequest
}

ACLTokenDeleteRequest is used for token deletion operations at the RPC layer

func (*ACLTokenDeleteRequest) RequestDatacenter added in v1.4.0

func (r *ACLTokenDeleteRequest) RequestDatacenter() string

type ACLTokenGetRequest added in v1.4.0

type ACLTokenGetRequest struct {
	TokenID     string         // id used for the token lookup
	TokenIDType ACLTokenIDType // The Type of ID used to lookup the token
	Datacenter  string         // The datacenter to perform the request within
	EnterpriseMeta
	QueryOptions
}

ACLTokenGetRequest is used for token read operations at the RPC layer

func (*ACLTokenGetRequest) RequestDatacenter added in v1.4.0

func (r *ACLTokenGetRequest) RequestDatacenter() string

type ACLTokenIDType added in v1.4.0

type ACLTokenIDType string
const (
	ACLTokenSecret   ACLTokenIDType = "secret"
	ACLTokenAccessor ACLTokenIDType = "accessor"
)

type ACLTokenListRequest added in v1.4.0

type ACLTokenListRequest struct {
	IncludeLocal  bool   // Whether local tokens should be included
	IncludeGlobal bool   // Whether global tokens should be included
	Policy        string // Policy filter
	Role          string // Role filter
	AuthMethod    string // Auth Method filter
	Datacenter    string // The datacenter to perform the request within
	ACLAuthMethodEnterpriseMeta
	EnterpriseMeta
	QueryOptions
}

ACLTokenListRequest is used for token listing operations at the RPC layer

func (*ACLTokenListRequest) RequestDatacenter added in v1.4.0

func (r *ACLTokenListRequest) RequestDatacenter() string

type ACLTokenListResponse added in v1.4.0

type ACLTokenListResponse struct {
	Tokens ACLTokenListStubs
	QueryMeta
}

ACLTokenListResponse is used to return the secret data free stubs of the tokens

type ACLTokenListStub added in v1.4.0

type ACLTokenListStub struct {
	AccessorID        string
	SecretID          string
	Description       string
	Policies          []ACLTokenPolicyLink  `json:",omitempty"`
	Roles             []ACLTokenRoleLink    `json:",omitempty"`
	ServiceIdentities []*ACLServiceIdentity `json:",omitempty"`
	NodeIdentities    []*ACLNodeIdentity    `json:",omitempty"`
	Local             bool
	AuthMethod        string     `json:",omitempty"`
	ExpirationTime    *time.Time `json:",omitempty"`
	CreateTime        time.Time  `json:",omitempty"`
	Hash              []byte
	CreateIndex       uint64
	ModifyIndex       uint64
	Legacy            bool `json:",omitempty"`
	EnterpriseMeta
}

type ACLTokenListStubs added in v1.4.0

type ACLTokenListStubs []*ACLTokenListStub

func (ACLTokenListStubs) Sort added in v1.4.0

func (tokens ACLTokenListStubs) Sort()
type ACLTokenPolicyLink struct {
	ID   string
	Name string `hash:"ignore"`
}

type ACLTokenResponse added in v1.4.0

type ACLTokenResponse struct {
	Token            *ACLToken
	Redacted         bool // whether the token's secret was redacted
	SourceDatacenter string
	QueryMeta
}

ACLTokenResponse returns a single Token + metadata

type ACLTokenRoleLink struct {
	ID   string
	Name string `hash:"ignore"`
}

type ACLTokenSetRequest added in v1.4.0

type ACLTokenSetRequest struct {
	ACLToken   ACLToken // Token to manipulate - I really dislike this name but "Token" is taken in the WriteRequest
	Create     bool     // Used to explicitly mark this request as a creation
	Datacenter string   // The datacenter to perform the request within
	WriteRequest
}

ACLTokenSetRequest is used for token creation and update operations at the RPC layer

func (*ACLTokenSetRequest) RequestDatacenter added in v1.4.0

func (r *ACLTokenSetRequest) RequestDatacenter() string

type ACLTokens added in v1.4.0

type ACLTokens []*ACLToken

ACLTokens is a slice of ACLTokens.

func (ACLTokens) Sort added in v1.4.0

func (tokens ACLTokens) Sort()

type ACLs

type ACLs []*ACL

ACLs is a slice of ACLs.

type AWSCAProviderConfig added in v1.7.0

type AWSCAProviderConfig struct {
	CommonCAProviderConfig `mapstructure:",squash"`

	ExistingARN  string
	DeleteOnExit bool
}

type AgentMasterTokenIdentity added in v1.8.10

type AgentMasterTokenIdentity struct {
	// contains filtered or unexported fields
}

func NewAgentMasterTokenIdentity added in v1.8.10

func NewAgentMasterTokenIdentity(agent string, secretID string) *AgentMasterTokenIdentity

func (*AgentMasterTokenIdentity) EmbeddedPolicy added in v1.8.10

func (id *AgentMasterTokenIdentity) EmbeddedPolicy() *ACLPolicy

func (*AgentMasterTokenIdentity) EnterpriseMetadata added in v1.8.10

func (id *AgentMasterTokenIdentity) EnterpriseMetadata() *EnterpriseMeta

func (*AgentMasterTokenIdentity) ID added in v1.8.10

func (*AgentMasterTokenIdentity) IsExpired added in v1.8.10

func (id *AgentMasterTokenIdentity) IsExpired(asOf time.Time) bool

func (*AgentMasterTokenIdentity) IsLocal added in v1.8.10

func (id *AgentMasterTokenIdentity) IsLocal() bool

func (*AgentMasterTokenIdentity) NodeIdentityList added in v1.8.10

func (id *AgentMasterTokenIdentity) NodeIdentityList() []*ACLNodeIdentity

func (*AgentMasterTokenIdentity) PolicyIDs added in v1.8.10

func (id *AgentMasterTokenIdentity) PolicyIDs() []string

func (*AgentMasterTokenIdentity) RoleIDs added in v1.8.10

func (id *AgentMasterTokenIdentity) RoleIDs() []string

func (*AgentMasterTokenIdentity) SecretToken added in v1.8.10

func (id *AgentMasterTokenIdentity) SecretToken() string

func (*AgentMasterTokenIdentity) ServiceIdentityList added in v1.8.10

func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity

type AuthorizerCacheEntry added in v1.4.0

type AuthorizerCacheEntry struct {
	Authorizer acl.Authorizer
	CacheTime  time.Time
	TTL        time.Duration
}

func (*AuthorizerCacheEntry) Age added in v1.4.0

type AutopilotConfig

type AutopilotConfig struct {
	// CleanupDeadServers controls whether to remove dead servers when a new
	// server is added to the Raft peers.
	CleanupDeadServers bool

	// LastContactThreshold is the limit on the amount of time a server can go
	// without leader contact before being considered unhealthy.
	LastContactThreshold time.Duration

	// MaxTrailingLogs is the amount of entries in the Raft Log that a server can
	// be behind before being considered unhealthy.
	MaxTrailingLogs uint64

	// MinQuorum sets the minimum number of servers required in a cluster
	// before autopilot can prune dead servers.
	MinQuorum uint

	// ServerStabilizationTime is the minimum amount of time a server must be
	// in a stable, healthy state before it can be added to the cluster. Only
	// applicable with Raft protocol version 3 or higher.
	ServerStabilizationTime time.Duration

	// (Enterprise-only) RedundancyZoneTag is the node tag to use for separating
	// servers into zones for redundancy. If left blank, this feature will be disabled.
	RedundancyZoneTag string

	// (Enterprise-only) DisableUpgradeMigration will disable Autopilot's upgrade migration
	// strategy of waiting until enough newer-versioned servers have been added to the
	// cluster before promoting them to voters.
	DisableUpgradeMigration bool

	// (Enterprise-only) UpgradeVersionTag is the node tag to use for version info when
	// performing upgrade migrations. If left blank, the Consul version will be used.
	UpgradeVersionTag string

	// CreateIndex/ModifyIndex store the create/modify indexes of this configuration.
	CreateIndex uint64
	ModifyIndex uint64
}

Autopilotconfig holds the Autopilot configuration for a cluster.

func (*AutopilotConfig) ToAutopilotLibraryConfig added in v1.9.0

func (c *AutopilotConfig) ToAutopilotLibraryConfig() *autopilot.Config

type AutopilotHealthReply added in v1.9.0

type AutopilotHealthReply struct {
	// Healthy is true if all the servers in the cluster are healthy.
	Healthy bool

	// FailureTolerance is the number of healthy servers that could be lost without
	// an outage occurring.
	FailureTolerance int

	// Servers holds the health of each server.
	Servers []AutopilotServerHealth
}

AutopilotHealthReply is a representation of the overall health of the cluster

type AutopilotServerHealth added in v1.9.0

type AutopilotServerHealth struct {
	// ID is the raft ID of the server.
	ID string

	// Name is the node name of the server.
	Name string

	// Address is the address of the server.
	Address string

	// The status of the SerfHealth check for the server.
	SerfStatus serf.MemberStatus

	// Version is the version of the server.
	Version string

	// Leader is whether this server is currently the leader.
	Leader bool

	// LastContact is the time since this node's last contact with the leader.
	LastContact time.Duration

	// LastTerm is the highest leader term this server has a record of in its Raft log.
	LastTerm uint64

	// LastIndex is the last log index this server has a record of in its Raft log.
	LastIndex uint64

	// Healthy is whether or not the server is healthy according to the current
	// Autopilot config.
	Healthy bool

	// Voter is whether this is a voting server.
	Voter bool

	// StableSince is the last time this server's Healthy value changed.
	StableSince time.Time
}

ServerHealth is the health (from the leader's point of view) of a server.

type AutopilotSetConfigRequest

type AutopilotSetConfigRequest struct {
	// Datacenter is the target this request is intended for.
	Datacenter string

	// Config is the new Autopilot configuration to use.
	Config AutopilotConfig

	// CAS controls whether to use check-and-set semantics for this request.
	CAS bool

	// WriteRequest holds the ACL token to go along with this request.
	WriteRequest
}

AutopilotSetConfigRequest is used by the Operator endpoint to update the current Autopilot configuration of the cluster.

func (*AutopilotSetConfigRequest) RequestDatacenter

func (op *AutopilotSetConfigRequest) RequestDatacenter() string

RequestDatacenter returns the datacenter for a given request.

type CAConfiguration added in v1.2.0

type CAConfiguration struct {
	// ClusterID is a unique identifier for the cluster
	ClusterID string `json:"-"`

	// Provider is the CA provider implementation to use.
	Provider string

	// Configuration is arbitrary configuration for the provider. This
	// should only contain primitive values and containers (such as lists
	// and maps).
	Config map[string]interface{}

	// State is optionally used by the provider to persist information it needs
	// between reloads like UUIDs of resources it manages. It only supports string
	// values to avoid gotchas with interface{} since this is encoded through
	// msgpack when it's written through raft. For example if providers used a
	// custom struct or even a simple `int` type, msgpack with loose type
	// information during encode/decode and providers will end up getting back
	// different types have have to remember to test multiple variants of state
	// handling to account for cases where it's been through msgpack or not.
	// Keeping this as strings only forces compatibility and leaves the input
	// Providers have to work with unambiguous - they can parse ints or other
	// types as they need. We expect this only to be used to store a handful of
	// identifiers anyway so this is simpler.
	State map[string]string

	// ForceWithoutCrossSigning indicates that the CA reconfiguration should go
	// ahead even if the current CA is unable to cross sign certificates. This
	// risks temporary connection failures during the rollout as new leafs will be
	// rejected by proxies that have not yet observed the new root cert but is the
	// only option if a CA that doesn't support cross signing needs to be
	// reconfigured or mirated away from.
	ForceWithoutCrossSigning bool

	RaftIndex
}

CAConfiguration is the configuration for the current CA plugin.

func (*CAConfiguration) GetCommonConfig added in v1.2.2

func (c *CAConfiguration) GetCommonConfig() (*CommonCAProviderConfig, error)

func (*CAConfiguration) UnmarshalJSON added in v1.7.0

func (c *CAConfiguration) UnmarshalJSON(data []byte) (err error)

type CAConsulProviderState added in v1.2.0

type CAConsulProviderState struct {
	ID               string
	PrivateKey       string
	RootCert         string
	IntermediateCert string

	RaftIndex
}

CAConsulProviderState is used to track the built-in Consul CA provider's state.

type CALeafOp added in v1.4.1

type CALeafOp string

CALeafOp is the operation for a request related to leaf certificates.

const (
	CALeafOpIncrementIndex CALeafOp = "increment-index"
)

type CALeafRequest added in v1.4.1

type CALeafRequest struct {
	// Op is the type of operation being requested. This determines what
	// other fields are required.
	Op CALeafOp

	// Datacenter is the target for this request.
	Datacenter string

	// WriteRequest is a common struct containing ACL tokens and other
	// write-related common elements for requests.
	WriteRequest
}

CALeafRequest is used to modify connect CA leaf data. This is used by the FSM (agent/consul/fsm) to apply changes.

func (*CALeafRequest) RequestDatacenter added in v1.4.1

func (q *CALeafRequest) RequestDatacenter() string

RequestDatacenter returns the datacenter for a given request.

type CAOp added in v1.2.0

type CAOp string

CAOp is the operation for a request related to intentions.

const (
	CAOpSetRoots                      CAOp = "set-roots"
	CAOpSetConfig                     CAOp = "set-config"
	CAOpSetProviderState              CAOp = "set-provider-state"
	CAOpDeleteProviderState           CAOp = "delete-provider-state"
	CAOpSetRootsAndConfig             CAOp = "set-roots-config"
	CAOpIncrementProviderSerialNumber CAOp = "increment-provider-serial"
)

type CARequest added in v1.2.0

type CARequest struct {
	// Op is the type of operation being requested. This determines what
	// other fields are required.
	Op CAOp

	// Datacenter is the target for this request.
	Datacenter string

	// Index is used by CAOpSetRoots and CAOpSetConfig for a CAS operation.
	Index uint64

	// Roots is a list of roots. This is used for CAOpSet. One root must
	// always be active.
	Roots []*CARoot

	// Config is the configuration for the current CA plugin.
	Config *CAConfiguration

	// ProviderState is the state for the builtin CA provider.
	ProviderState *CAConsulProviderState

	// WriteRequest is a common struct containing ACL tokens and other
	// write-related common elements for requests.
	WriteRequest
}

CARequest is used to modify connect CA data. This is used by the FSM (agent/consul/fsm) to apply changes.

func (*CARequest) RequestDatacenter added in v1.2.0

func (q *CARequest) RequestDatacenter() string

RequestDatacenter returns the datacenter for a given request.

type CARoot added in v1.2.0

type CARoot struct {
	// ID is a globally unique ID (UUID) representing this CA root.
	ID string

	// Name is a human-friendly name for this CA root. This value is
	// opaque to Consul and is not used for anything internally.
	Name string

	// SerialNumber is the x509 serial number of the certificate.
	SerialNumber uint64

	// SigningKeyID is the ID of the public key that corresponds to the private
	// key used to sign leaf certificates. Is is the HexString format of the
	// raw AuthorityKeyID bytes.
	SigningKeyID string

	// ExternalTrustDomain is the trust domain this root was generated under. It
	// is usually empty implying "the current cluster trust-domain". It is set
	// only in the case that a cluster changes trust domain and then all old roots
	// that are still trusted have the old trust domain set here.
	//
	// We currently DON'T validate these trust domains explicitly anywhere, see
	// IndexedRoots.TrustDomain doc. We retain this information for debugging and
	// future flexibility.
	ExternalTrustDomain string

	// Time validity bounds.
	NotBefore time.Time
	NotAfter  time.Time

	// RootCert is the PEM-encoded public certificate.
	RootCert string

	// IntermediateCerts is a list of PEM-encoded intermediate certs to
	// attach to any leaf certs signed by this CA.
	IntermediateCerts []string

	// SigningCert is the PEM-encoded signing certificate and SigningKey
	// is the PEM-encoded private key for the signing certificate. These
	// may actually be empty if the CA plugin in use manages these for us.
	SigningCert string `json:",omitempty"`
	SigningKey  string `json:",omitempty"`

	// Active is true if this is the current active CA. This must only
	// be true for exactly one CA. For any method that modifies roots in the
	// state store, tests should be written to verify that multiple roots
	// cannot be active.
	Active bool

	// RotatedOutAt is the time at which this CA was removed from the state.
	// This will only be set on roots that have been rotated out from being the
	// active root.
	RotatedOutAt time.Time `json:"-"`

	// PrivateKeyType is the type of the private key used to sign certificates. It
	// may be "rsa" or "ec". This is provided as a convenience to avoid parsing
	// the public key to from the certificate to infer the type.
	PrivateKeyType string

	// PrivateKeyBits is the length of the private key used to sign certificates.
	// This is provided as a convenience to avoid parsing the public key from the
	// certificate to infer the type.
	PrivateKeyBits int

	RaftIndex
}

CARoot represents a root CA certificate that is trusted.

func (*CARoot) Clone added in v1.8.7

func (c *CARoot) Clone() *CARoot

type CARoots added in v1.2.0

type CARoots []*CARoot

CARoots is a list of CARoot structures.

type CASignRequest added in v1.2.0

type CASignRequest struct {
	// Datacenter is the target for this request.
	Datacenter string

	// CSR is the PEM-encoded CSR.
	CSR string

	// WriteRequest is a common struct containing ACL tokens and other
	// write-related common elements for requests.
	WriteRequest
}

CASignRequest is the request for signing a service certificate.

func (*CASignRequest) RequestDatacenter added in v1.2.0

func (q *CASignRequest) RequestDatacenter() string

RequestDatacenter returns the datacenter for a given request.

type CheckDefinition

type CheckDefinition struct {
	ID        types.CheckID
	Name      string
	Notes     string
	ServiceID string
	Token     string
	Status    string

	// Copied fields from CheckType without the fields
	// already present in CheckDefinition:
	//
	//   ID (CheckID), Name, Status, Notes
	//
	ScriptArgs                     []string
	HTTP                           string
	H2PING                         string
	Header                         map[string][]string
	Method                         string
	Body                           string
	TCP                            string
	Interval                       time.Duration
	DockerContainerID              string
	Shell                          string
	GRPC                           string
	GRPCUseTLS                     bool
	TLSServerName                  string
	TLSSkipVerify                  bool
	AliasNode                      string
	AliasService                   string
	Timeout                        time.Duration
	TTL                            time.Duration
	SuccessBeforePassing           int
	FailuresBeforeCritical         int
	DeregisterCriticalServiceAfter time.Duration
	OutputMaxSize                  int

	EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
}

CheckDefinition is used to JSON decode the Check definitions

func (*CheckDefinition) CheckType

func (c *CheckDefinition) CheckType() *CheckType

func (*CheckDefinition) HealthCheck

func (c *CheckDefinition) HealthCheck(node string) *HealthCheck

func (*CheckDefinition) UnmarshalJSON added in v1.6.2

func (t *CheckDefinition) UnmarshalJSON(data []byte) (err error)

type CheckID added in v1.7.0

type CheckID struct {
	ID types.CheckID
	EnterpriseMeta
}

func NewCheckID added in v1.7.0

func NewCheckID(id types.CheckID, entMeta *EnterpriseMeta) CheckID

func (CheckID) String added in v1.7.0

func (cid CheckID) String() string

func (CheckID) StringHash added in v1.7.0

func (cid CheckID) StringHash() string

StringHash is used mainly to populate part of the filename of a check definition persisted on the local agent

type CheckServiceNode

type CheckServiceNode struct {
	Node    *Node
	Service *NodeService
	Checks  HealthChecks
}

CheckServiceNode is used to provide the node, its service definition, as well as a HealthCheck that is associated.

func (*CheckServiceNode) BestAddress added in v1.6.0

func (csn *CheckServiceNode) BestAddress(wan bool) (string, int)

func (*CheckServiceNode) CanRead added in v1.9.0

type CheckServiceNodes

type CheckServiceNodes []CheckServiceNode

func (CheckServiceNodes) Filter

func (nodes CheckServiceNodes) Filter(onlyPassing bool) CheckServiceNodes

Filter removes nodes that are failing health checks (and any non-passing check if that option is selected). Note that this returns the filtered results AND modifies the receiver for performance.

func (CheckServiceNodes) FilterIgnore added in v1.0.7

func (nodes CheckServiceNodes) FilterIgnore(onlyPassing bool,
	ignoreCheckIDs []types.CheckID) CheckServiceNodes

FilterIgnore removes nodes that are failing health checks just like Filter. It also ignores the status of any check with an ID present in ignoreCheckIDs as if that check didn't exist. Note that this returns the filtered results AND modifies the receiver for performance.

func (CheckServiceNodes) ShallowClone added in v1.8.0

func (nodes CheckServiceNodes) ShallowClone() CheckServiceNodes

ShallowClone duplicates the slice and underlying array.

func (CheckServiceNodes) Shuffle

func (nodes CheckServiceNodes) Shuffle()

Shuffle does an in-place random shuffle using the Fisher-Yates algorithm.

func (CheckServiceNodes) ToServiceDump added in v1.8.0

func (nodes CheckServiceNodes) ToServiceDump() ServiceDump

type CheckType

type CheckType struct {
	CheckID types.CheckID
	Name    string
	Status  string
	Notes   string

	ScriptArgs             []string
	HTTP                   string
	H2PING                 string
	Header                 map[string][]string
	Method                 string
	Body                   string
	TCP                    string
	Interval               time.Duration
	AliasNode              string
	AliasService           string
	DockerContainerID      string
	Shell                  string
	GRPC                   string
	GRPCUseTLS             bool
	TLSServerName          string
	TLSSkipVerify          bool
	Timeout                time.Duration
	TTL                    time.Duration
	SuccessBeforePassing   int
	FailuresBeforeCritical int

	// Definition fields used when exposing checks through a proxy
	ProxyHTTP string
	ProxyGRPC string

	// DeregisterCriticalServiceAfter, if >0, will cause the associated
	// service, if any, to be deregistered if this check is critical for
	// longer than this duration.
	DeregisterCriticalServiceAfter time.Duration
	OutputMaxSize                  int
}

CheckType is used to create either the CheckMonitor or the CheckTTL. The following types are supported: Script, HTTP, TCP, Docker, TTL, GRPC, Alias, H2PING. Script, HTTP, Docker, TCP, GRPC, and H2PING all require Interval. Only one of the types may to be provided: TTL or Script/Interval or HTTP/Interval or TCP/Interval or Docker/Interval or GRPC/Interval or AliasService or H2PING/Interval. Since types like CheckHTTP and CheckGRPC derive from CheckType, there are helper conversion methods that do the reverse conversion. ie. checkHTTP.CheckType()

func (*CheckType) Empty added in v1.0.0

func (c *CheckType) Empty() bool

Empty checks if the CheckType has no fields defined. Empty checks parsed from json configs are filtered out

func (*CheckType) IsAlias added in v1.2.2

func (c *CheckType) IsAlias() bool

IsAlias checks if this is an alias check.

func (*CheckType) IsDocker

func (c *CheckType) IsDocker() bool

IsDocker returns true when checking a docker container.

func (*CheckType) IsGRPC added in v1.0.4

func (c *CheckType) IsGRPC() bool

IsGRPC checks if this is a GRPC type

func (*CheckType) IsH2PING added in v1.10.0

func (c *CheckType) IsH2PING() bool

IsH2PING checks if this is a H2PING type

func (*CheckType) IsHTTP

func (c *CheckType) IsHTTP() bool

IsHTTP checks if this is a HTTP type

func (*CheckType) IsMonitor

func (c *CheckType) IsMonitor() bool

IsMonitor checks if this is a Monitor type

func (*CheckType) IsScript

func (c *CheckType) IsScript() bool

IsScript checks if this is a check that execs some kind of script.

func (*CheckType) IsTCP

func (c *CheckType) IsTCP() bool

IsTCP checks if this is a TCP type

func (*CheckType) IsTTL

func (c *CheckType) IsTTL() bool

IsTTL checks if this is a TTL type

func (*CheckType) Type added in v1.6.2

func (c *CheckType) Type() string

func (*CheckType) UnmarshalJSON added in v1.6.2

func (t *CheckType) UnmarshalJSON(data []byte) (err error)

func (*CheckType) Validate added in v1.0.0

func (c *CheckType) Validate() error

Validate returns an error message if the check is invalid

type CheckTypes

type CheckTypes []*CheckType

type ChecksInStateRequest

type ChecksInStateRequest struct {
	Datacenter      string
	NodeMetaFilters map[string]string
	State           string
	Source          QuerySource

	EnterpriseMeta `mapstructure:",squash"`
	QueryOptions
}

ChecksInStateRequest is used to query for nodes in a state

func (*ChecksInStateRequest) RequestDatacenter

func (r *ChecksInStateRequest) RequestDatacenter() string

type CommonCAProviderConfig added in v1.2.2

type CommonCAProviderConfig struct {
	LeafCertTTL         time.Duration
	IntermediateCertTTL time.Duration

	SkipValidate bool

	// CSRMaxPerSecond is a rate limit on processing Connect Certificate Signing
	// Requests on the servers. It applies to all CA providers so can be used to
	// limit rate to an external CA too. 0 disables the rate limit. Defaults to 50
	// which is low enough to prevent overload of a reasonably sized production
	// server while allowing a cluster with 1000 service instances to complete a
	// rotation in 20 seconds. For reference a quad-core 2017 MacBook pro can
	// process 100 signing RPCs a second while using less than half of one core.
	// For large clusters with powerful servers it's advisable to increase this
	// rate or to disable this limit and instead rely on CSRMaxConcurrent to only
	// consume a subset of the server's cores.
	CSRMaxPerSecond float32

	// CSRMaxConcurrent is a limit on how many concurrent CSR signing requests
	// will be processed in parallel. New incoming signing requests will try for
	// `consul.csrSemaphoreWait` (currently 500ms) for a slot before being
	// rejected with a "rate limited" backpressure response. This effectively sets
	// how many CPU cores can be occupied by Connect CA signing activity and
	// should be a (small) subset of your server's available cores to allow other
	// tasks to complete when a barrage of CSRs come in (e.g. after a CA root
	// rotation). Setting to 0 disables the limit, attempting to sign certs
	// immediately in the RPC goroutine. This is 0 by default and CSRMaxPerSecond
	// is used. This is ignored if CSRMaxPerSecond is non-zero.
	CSRMaxConcurrent int

	// PrivateKeyType specifies which type of key the CA should generate. It only
	// applies when the provider is generating its own key and is ignored if the
	// provider already has a key or an external key is provided. Supported values
	// are "ec" or "rsa". "ec" is the default and will generate a NIST P-256
	// Elliptic key.
	PrivateKeyType string

	// PrivateKeyBits specifies the number of bits the CA's private key should
	// use. For RSA, supported values are 2048 and 4096. For EC, supported values
	// are 224, 256, 384 and 521 and correspond to the NIST P-* curve of the same
	// name. As with PrivateKeyType this is only relevant whan the provier is
	// generating new CA keys (root or intermediate).
	PrivateKeyBits int
}

func (CommonCAProviderConfig) Validate added in v1.2.2

func (c CommonCAProviderConfig) Validate() error

type CompiledDiscoveryChain added in v1.6.0

type CompiledDiscoveryChain struct {
	ServiceName string
	Namespace   string // the namespace that the chain was compiled within
	Datacenter  string // the datacenter that the chain was compiled within

	// CustomizationHash is a unique hash of any data that affects the
	// compilation of the discovery chain other than config entries or the
	// name/namespace/datacenter evaluation criteria.
	//
	// If set, this value should be used to prefix/suffix any generated load
	// balancer data plane objects to avoid sharing customized and
	// non-customized versions.
	CustomizationHash string `json:",omitempty"`

	// Protocol is the overall protocol shared by everything in the chain.
	Protocol string `json:",omitempty"`

	// StartNode is the first key into the Nodes map that should be followed
	// when walking the discovery chain.
	StartNode string `json:",omitempty"`

	// Nodes contains all nodes available for traversal in the chain keyed by a
	// unique name.  You can walk this by starting with StartNode.
	//
	// NOTE: The names should be treated as opaque values and are only
	// guaranteed to be consistent within a single compilation.
	Nodes map[string]*DiscoveryGraphNode `json:",omitempty"`

	// Targets is a list of all targets used in this chain.
	Targets map[string]*DiscoveryTarget `json:",omitempty"`
}

CompiledDiscoveryChain is the result from taking a set of related config entries for a single service's discovery chain and restructuring them into a form that is more usable for actual service discovery.

func (*CompiledDiscoveryChain) CompoundServiceName added in v1.10.0

func (c *CompiledDiscoveryChain) CompoundServiceName() ServiceName

func (*CompiledDiscoveryChain) ID added in v1.10.0

ID returns an ID that encodes the service, namespace, and datacenter. This ID allows us to compare a discovery chain target to the chain upstream itself.

func (*CompiledDiscoveryChain) IsDefault added in v1.6.0

func (c *CompiledDiscoveryChain) IsDefault() bool

IsDefault returns true if the compiled chain represents no routing, no splitting, and only the default resolution. We have to be careful here to avoid returning "yep this is default" when the only resolver action being applied is redirection to another resolver that is default, so we double check the resolver matches the requested resolver.

func (*CompiledDiscoveryChain) WillFailoverThroughMeshGateway added in v1.6.0

func (c *CompiledDiscoveryChain) WillFailoverThroughMeshGateway(node *DiscoveryGraphNode) bool

type CompoundResponse

type CompoundResponse interface {
	// Add adds a new response to the compound response
	Add(interface{})

	// New returns an empty response object which can be passed around by
	// reference, and then passed to Add() later on.
	New() interface{}
}

CompoundResponse is an interface for gathering multiple responses. It is used in cross-datacenter RPC calls where more than 1 datacenter is expected to reply.

type ConfigEntry added in v1.5.0

type ConfigEntry interface {
	GetKind() string
	GetName() string

	// This is called in the RPC endpoint and can apply defaults or limits.
	Normalize() error
	Validate() error

	// CanRead and CanWrite return whether or not the given Authorizer
	// has permission to read or write to the config entry, respectively.
	CanRead(acl.Authorizer) bool
	CanWrite(acl.Authorizer) bool

	GetMeta() map[string]string
	GetEnterpriseMeta() *EnterpriseMeta
	GetRaftIndex() *RaftIndex
}

ConfigEntry is the interface for centralized configuration stored in Raft. Currently only service-defaults and proxy-defaults are supported.

func DecodeConfigEntry added in v1.5.0

func DecodeConfigEntry(raw map[string]interface{}) (ConfigEntry, error)

DecodeConfigEntry can be used to decode a ConfigEntry from a raw map value. Currently its used in the HTTP API to decode ConfigEntry structs coming from JSON. Unlike some of our custom binary encodings we don't have a preamble including the kind so we will not have a concrete type to decode into. In those cases we must first decode into a map[string]interface{} and then call this function to decode into a concrete type.

There is an 'api' variation of this in command/config/write/config_write.go:newDecodeConfigEntry

func MakeConfigEntry added in v1.5.0

func MakeConfigEntry(kind, name string) (ConfigEntry, error)

type ConfigEntryGraphError added in v1.6.0

type ConfigEntryGraphError struct {
	// one of Message or Err should be set
	Message string
	Err     error
}

func (*ConfigEntryGraphError) Error added in v1.6.0

func (e *ConfigEntryGraphError) Error() string

type ConfigEntryListAllRequest added in v1.9.0

type ConfigEntryListAllRequest struct {
	// Kinds should always be set. For backwards compatibility with versions
	// prior to 1.9.0, if this is omitted or left empty it is assumed to mean
	// the subset of config entry kinds that were present in 1.8.0:
	//
	// proxy-defaults, service-defaults, service-resolver, service-splitter,
	// service-router, terminating-gateway, and ingress-gateway.
	Kinds      []string
	Datacenter string

	EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
	QueryOptions
}

ConfigEntryListAllRequest is used when requesting to list all config entries of a set of kinds.

func (*ConfigEntryListAllRequest) RequestDatacenter added in v1.9.0

func (r *ConfigEntryListAllRequest) RequestDatacenter() string

type ConfigEntryOp added in v1.5.0

type ConfigEntryOp string
const (
	ConfigEntryUpsert    ConfigEntryOp = "upsert"
	ConfigEntryUpsertCAS ConfigEntryOp = "upsert-cas"
	ConfigEntryDelete    ConfigEntryOp = "delete"
)

type ConfigEntryQuery added in v1.5.0

type ConfigEntryQuery struct {
	Kind       string
	Name       string
	Datacenter string

	EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
	QueryOptions
}

ConfigEntryQuery is used when requesting info about a config entry.

func (*ConfigEntryQuery) CacheInfo added in v1.6.0

func (r *ConfigEntryQuery) CacheInfo() cache.RequestInfo

func (*ConfigEntryQuery) RequestDatacenter added in v1.5.0

func (c *ConfigEntryQuery) RequestDatacenter() string

type ConfigEntryRequest added in v1.5.0

type ConfigEntryRequest struct {
	Op         ConfigEntryOp
	Datacenter string
	Entry      ConfigEntry

	WriteRequest
}

ConfigEntryRequest is used when creating/updating/deleting a ConfigEntry.

func (*ConfigEntryRequest) MarshalBinary added in v1.5.0

func (c *ConfigEntryRequest) MarshalBinary() (data []byte, err error)

func (*ConfigEntryRequest) RequestDatacenter added in v1.5.0

func (c *ConfigEntryRequest) RequestDatacenter() string

func (*ConfigEntryRequest) UnmarshalBinary added in v1.5.0

func (c *ConfigEntryRequest) UnmarshalBinary(data []byte) error

type ConfigEntryResponse added in v1.5.0

type ConfigEntryResponse struct {
	Entry ConfigEntry
	QueryMeta
}

ConfigEntryResponse returns a single ConfigEntry

func (*ConfigEntryResponse) MarshalBinary added in v1.5.0

func (c *ConfigEntryResponse) MarshalBinary() (data []byte, err error)

func (*ConfigEntryResponse) UnmarshalBinary added in v1.5.0

func (c *ConfigEntryResponse) UnmarshalBinary(data []byte) error

type ConnectAuthorizeRequest added in v1.2.0

type ConnectAuthorizeRequest struct {
	// Target is the name of the service that is being requested.
	Target string

	// EnterpriseMeta is the embedded Consul Enterprise specific metadata
	EnterpriseMeta

	// ClientCertURI is a unique identifier for the requesting client. This
	// is currently the URI SAN from the TLS client certificate.
	//
	// ClientCertSerial is a colon-hex-encoded of the serial number for
	// the requesting client cert. This is used to check against revocation
	// lists.
	ClientCertURI    string
	ClientCertSerial string
}

ConnectAuthorizeRequest is the structure of a request to authorize a connection.

func (*ConnectAuthorizeRequest) TargetNamespace added in v1.7.0

func (req *ConnectAuthorizeRequest) TargetNamespace() string

type ConnectProxyConfig added in v1.3.0

type ConnectProxyConfig struct {
	// DestinationServiceName is required and is the name of the service to accept
	// traffic for.
	DestinationServiceName string `json:",omitempty" alias:"destination_service_name"`

	// DestinationServiceID is optional and should only be specified for
	// "side-car" style proxies where the proxy is in front of just a single
	// instance of the service. It should be set to the service ID of the instance
	// being represented which must be registered to the same agent. It's valid to
	// provide a service ID that does not yet exist to avoid timing issues when
	// bootstrapping a service with a proxy.
	DestinationServiceID string `json:",omitempty" alias:"destination_service_id"`

	// LocalServiceAddress is the address of the local service instance. It is
	// optional and should only be specified for "side-car" style proxies. It will
	// default to 127.0.0.1 if the proxy is a "side-car" (DestinationServiceID is
	// set) but otherwise will be ignored.
	LocalServiceAddress string `json:",omitempty" alias:"local_service_address"`

	// LocalServicePort is the port of the local service instance. It is optional
	// and should only be specified for "side-car" style proxies. It will default
	// to the registered port for the instance if the proxy is a "side-car"
	// (DestinationServiceID is set) but otherwise will be ignored.
	LocalServicePort int `json:",omitempty" alias:"local_service_port"`

	// LocalServiceSocketPath is the socket of the local service instance. It is optional
	// and should only be specified for "side-car" style proxies.
	LocalServiceSocketPath string `json:",omitempty" alias:"local_service_socket_path"`

	// Mode represents how the proxy's inbound and upstream listeners are dialed.
	Mode ProxyMode

	// Config is the arbitrary configuration data provided with the proxy
	// registration.
	Config map[string]interface{} `json:",omitempty" bexpr:"-"`

	// Upstreams describes any upstream dependencies the proxy instance should
	// setup.
	Upstreams Upstreams `json:",omitempty"`

	// MeshGateway defines the mesh gateway configuration for this upstream
	MeshGateway MeshGatewayConfig `json:",omitempty" alias:"mesh_gateway"`

	// Expose defines whether checks or paths are exposed through the proxy
	Expose ExposeConfig `json:",omitempty"`

	// TransparentProxy defines configuration for when the proxy is in
	// transparent mode.
	TransparentProxy TransparentProxyConfig `json:",omitempty" alias:"transparent_proxy"`
}

ConnectProxyConfig describes the configuration needed for any proxy managed or unmanaged. It describes a single logical service's listener and optionally upstreams and sidecar-related config for a single instance. To describe a centralized proxy that routed traffic for multiple services, a different one of these would be needed for each, sharing the same LogicalProxyID.

func TestConnectProxyConfig added in v1.3.0

func TestConnectProxyConfig(t testing.T) ConnectProxyConfig

TestConnectProxyConfig returns a ConnectProxyConfig representing a valid Connect proxy.

func (*ConnectProxyConfig) MarshalJSON added in v1.6.0

func (c *ConnectProxyConfig) MarshalJSON() ([]byte, error)

func (*ConnectProxyConfig) ToAPI added in v1.3.0

ToAPI returns the api struct with the same fields. We have duplicates to avoid the api package depending on this one which imports a ton of Consul's core which you don't want if you are just trying to use our client in your app.

func (*ConnectProxyConfig) UnmarshalJSON added in v1.6.2

func (t *ConnectProxyConfig) UnmarshalJSON(data []byte) (err error)

type ConsulCAProviderConfig added in v1.2.0

type ConsulCAProviderConfig struct {
	CommonCAProviderConfig `mapstructure:",squash"`

	PrivateKey string
	RootCert   string

	// DisableCrossSigning is really only useful in test code to use the built in
	// provider while exercising logic that depends on the CA provider ability to
	// cross sign. We don't document this config field publicly or make any
	// attempt to parse it from snake case unlike other fields here.
	DisableCrossSigning bool
}

func (*ConsulCAProviderConfig) Validate added in v1.7.0

func (c *ConsulCAProviderConfig) Validate() error

type CookieConfig added in v1.9.0

type CookieConfig struct {
	// Generates a session cookie with no expiration.
	Session bool `json:",omitempty"`

	// TTL for generated cookies. Cannot be specified for session cookies.
	TTL time.Duration `json:",omitempty"`

	// The path to set for the cookie
	Path string `json:",omitempty"`
}

CookieConfig contains configuration for the "cookie" hash policy type. This is specified to have Envoy generate a cookie for a client on its first request.

type Coordinate

type Coordinate struct {
	Node    string
	Segment string
	Coord   *coordinate.Coordinate
}

Coordinate stores a node name with its associated network coordinate.

type CoordinateUpdateRequest

type CoordinateUpdateRequest struct {
	Datacenter string
	Node       string
	Segment    string
	Coord      *coordinate.Coordinate
	WriteRequest
}

CoordinateUpdateRequest is used to update the network coordinate of a given node.

func (*CoordinateUpdateRequest) RequestDatacenter

func (c *CoordinateUpdateRequest) RequestDatacenter() string

RequestDatacenter returns the datacenter for a given update request.

type Coordinates

type Coordinates []*Coordinate

type DCSpecificRequest

type DCSpecificRequest struct {
	Datacenter      string
	NodeMetaFilters map[string]string
	Source          QuerySource
	EnterpriseMeta  `hcl:",squash" mapstructure:",squash"`
	QueryOptions
}

DCSpecificRequest is used to query about a specific DC

func (*DCSpecificRequest) CacheInfo added in v1.2.0

func (r *DCSpecificRequest) CacheInfo() cache.RequestInfo

func (*DCSpecificRequest) CacheMinIndex added in v1.2.0

func (r *DCSpecificRequest) CacheMinIndex() uint64

func (*DCSpecificRequest) RequestDatacenter

func (r *DCSpecificRequest) RequestDatacenter() string

type DatacenterIndexedCheckServiceNodes added in v1.8.0

type DatacenterIndexedCheckServiceNodes struct {
	DatacenterNodes map[string]CheckServiceNodes
	QueryMeta
}

type DatacenterMap

type DatacenterMap struct {
	Datacenter  string
	AreaID      types.AreaID
	Coordinates Coordinates
}

DatacenterMap is used to represent a list of nodes with their raw coordinates, associated with a datacenter. Coordinates are only compatible between nodes in the same area.

type DatacentersRequest added in v1.6.0

type DatacentersRequest struct {
	QueryOptions
}

func (*DatacentersRequest) CacheInfo added in v1.6.0

func (r *DatacentersRequest) CacheInfo() cache.RequestInfo

type DeregisterRequest

type DeregisterRequest struct {
	Datacenter     string
	Node           string
	ServiceID      string
	CheckID        types.CheckID
	EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
	WriteRequest
}

DeregisterRequest is used for the Catalog.Deregister endpoint to deregister a node as providing a service. If no service is provided the entire node is deregistered.

func (*DeregisterRequest) RequestDatacenter

func (r *DeregisterRequest) RequestDatacenter() string

func (*DeregisterRequest) UnmarshalJSON added in v1.7.0

func (r *DeregisterRequest) UnmarshalJSON(data []byte) error

type DirEntries

type DirEntries []*DirEntry

type DirEntry

type DirEntry struct {
	LockIndex uint64
	Key       string
	Flags     uint64
	Value     []byte
	Session   string `json:",omitempty"`

	EnterpriseMeta `bexpr:"-"`
	RaftIndex
}

DirEntry is used to represent a directory entry. This is used for values in our Key-Value store.

func (*DirEntry) Clone

func (d *DirEntry) Clone() *DirEntry

Returns a clone of the given directory entry.

func (*DirEntry) Equal added in v1.6.0

func (d *DirEntry) Equal(o *DirEntry) bool

func (*DirEntry) FillAuthzContext added in v1.7.0

func (_ *DirEntry) FillAuthzContext(_ *acl.AuthorizerContext)

FillAuthzContext stub

type DiscoveryChainConfigEntries added in v1.6.0

type DiscoveryChainConfigEntries struct {
	Routers     map[ServiceID]*ServiceRouterConfigEntry
	Splitters   map[ServiceID]*ServiceSplitterConfigEntry
	Resolvers   map[ServiceID]*ServiceResolverConfigEntry
	Services    map[ServiceID]*ServiceConfigEntry
	GlobalProxy *ProxyConfigEntry
}

DiscoveryChainConfigEntries wraps just the raw cross-referenced config entries. None of these are defaulted.

func NewDiscoveryChainConfigEntries added in v1.6.0

func NewDiscoveryChainConfigEntries() *DiscoveryChainConfigEntries

func (*DiscoveryChainConfigEntries) AddEntries added in v1.6.0

func (e *DiscoveryChainConfigEntries) AddEntries(entries ...ConfigEntry)

AddEntries adds generic configs. Convenience function for testing. Panics on operator error.

func (*DiscoveryChainConfigEntries) AddResolvers added in v1.6.0

func (e *DiscoveryChainConfigEntries) AddResolvers(entries ...*ServiceResolverConfigEntry)

AddResolvers adds resolver configs. Convenience function for testing.

func (*DiscoveryChainConfigEntries) AddRouters added in v1.6.0

func (e *DiscoveryChainConfigEntries) AddRouters(entries ...*ServiceRouterConfigEntry)

AddRouters adds router configs. Convenience function for testing.

func (*DiscoveryChainConfigEntries) AddServices added in v1.6.0

func (e *DiscoveryChainConfigEntries) AddServices(entries ...*ServiceConfigEntry)

AddServices adds service configs. Convenience function for testing.

func (*DiscoveryChainConfigEntries) AddSplitters added in v1.6.0

func (e *DiscoveryChainConfigEntries) AddSplitters(entries ...*ServiceSplitterConfigEntry)

AddSplitters adds splitter configs. Convenience function for testing.

func (*DiscoveryChainConfigEntries) GetResolver added in v1.6.0

func (*DiscoveryChainConfigEntries) GetRouter added in v1.6.0

func (*DiscoveryChainConfigEntries) GetService added in v1.6.0

func (*DiscoveryChainConfigEntries) GetSplitter added in v1.6.0

func (*DiscoveryChainConfigEntries) IsChainEmpty added in v1.6.0

func (e *DiscoveryChainConfigEntries) IsChainEmpty() bool

func (*DiscoveryChainConfigEntries) IsEmpty added in v1.6.0

func (e *DiscoveryChainConfigEntries) IsEmpty() bool

type DiscoveryChainRequest added in v1.6.0

type DiscoveryChainRequest struct {
	Name                 string
	EvaluateInDatacenter string
	EvaluateInNamespace  string

	// OverrideMeshGateway allows for the mesh gateway setting to be overridden
	// for any resolver in the compiled chain.
	OverrideMeshGateway MeshGatewayConfig

	// OverrideProtocol allows for the final protocol for the chain to be
	// altered.
	//
	// - If the chain ordinarily would be TCP and an L7 protocol is passed here
	// the chain will not include Routers or Splitters.
	//
	// - If the chain ordinarily would be L7 and TCP is passed here the chain
	// will not include Routers or Splitters.
	OverrideProtocol string

	// OverrideConnectTimeout allows for the ConnectTimeout setting to be
	// overridden for any resolver in the compiled chain.
	OverrideConnectTimeout time.Duration

	Datacenter string // where to route the RPC
	QueryOptions
}

DiscoveryChainRequest is used when requesting the discovery chain for a service.

func (*DiscoveryChainRequest) CacheInfo added in v1.6.0

func (r *DiscoveryChainRequest) CacheInfo() cache.RequestInfo

func (*DiscoveryChainRequest) GetEnterpriseMeta added in v1.7.0

func (req *DiscoveryChainRequest) GetEnterpriseMeta() *EnterpriseMeta

GetEnterpriseMeta is used to synthesize the EnterpriseMeta struct from fields in the DiscoveryChainRequest

func (*DiscoveryChainRequest) RequestDatacenter added in v1.6.0

func (r *DiscoveryChainRequest) RequestDatacenter() string

func (*DiscoveryChainRequest) WithEnterpriseMeta added in v1.7.0

func (req *DiscoveryChainRequest) WithEnterpriseMeta(_ *EnterpriseMeta)

WithEnterpriseMeta will populate the corresponding fields in the DiscoveryChainRequest from the EnterpriseMeta struct

type DiscoveryChainResponse added in v1.6.0

type DiscoveryChainResponse struct {
	Chain *CompiledDiscoveryChain
	QueryMeta
}

type DiscoveryFailover added in v1.6.0

type DiscoveryFailover struct {
	Targets []string `json:",omitempty"`
}

compiled form of ServiceResolverFailover

type DiscoveryGraphNode added in v1.6.0

type DiscoveryGraphNode struct {
	Type string
	Name string // this is NOT necessarily a service

	// fields for Type==router
	Routes []*DiscoveryRoute `json:",omitempty"`

	// fields for Type==splitter
	Splits []*DiscoverySplit `json:",omitempty"`

	// fields for Type==resolver
	Resolver *DiscoveryResolver `json:",omitempty"`

	// shared by Type==resolver || Type==splitter
	LoadBalancer *LoadBalancer `json:",omitempty"`
}

DiscoveryGraphNode is a single node in the compiled discovery chain.

func (*DiscoveryGraphNode) IsResolver added in v1.6.0

func (s *DiscoveryGraphNode) IsResolver() bool

func (*DiscoveryGraphNode) IsRouter added in v1.6.0

func (s *DiscoveryGraphNode) IsRouter() bool

func (*DiscoveryGraphNode) IsSplitter added in v1.6.0

func (s *DiscoveryGraphNode) IsSplitter() bool

func (*DiscoveryGraphNode) MapKey added in v1.6.0

func (s *DiscoveryGraphNode) MapKey() string

type DiscoveryResolver added in v1.6.0

type DiscoveryResolver struct {
	Default        bool               `json:",omitempty"`
	ConnectTimeout time.Duration      `json:",omitempty"`
	Target         string             `json:",omitempty"`
	Failover       *DiscoveryFailover `json:",omitempty"`
}

compiled form of ServiceResolverConfigEntry

func (*DiscoveryResolver) MarshalJSON added in v1.6.0

func (r *DiscoveryResolver) MarshalJSON() ([]byte, error)

func (*DiscoveryResolver) UnmarshalJSON added in v1.6.0

func (r *DiscoveryResolver) UnmarshalJSON(data []byte) error

type DiscoveryRoute added in v1.6.0

type DiscoveryRoute struct {
	Definition *ServiceRoute `json:",omitempty"`
	NextNode   string        `json:",omitempty"`
}

compiled form of ServiceRoute

type DiscoverySplit added in v1.6.0

type DiscoverySplit struct {
	Weight   float32 `json:",omitempty"`
	NextNode string  `json:",omitempty"`
}

compiled form of ServiceSplit

type DiscoveryTarget added in v1.6.0

type DiscoveryTarget struct {
	// ID is a unique identifier for referring to this target in a compiled
	// chain. It should be treated as a per-compile opaque string.
	ID string `json:",omitempty"`

	Service       string `json:",omitempty"`
	ServiceSubset string `json:",omitempty"`
	Namespace     string `json:",omitempty"`
	Datacenter    string `json:",omitempty"`

	MeshGateway MeshGatewayConfig     `json:",omitempty"`
	Subset      ServiceResolverSubset `json:",omitempty"`

	// External is true if this target is outside of this consul cluster.
	External bool `json:",omitempty"`

	// SNI is the sni field to use when connecting to this set of endpoints
	// over TLS.
	SNI string `json:",omitempty"`

	// Name is the unique name for this target for use when generating load
	// balancer objects.  This has a structure similar to SNI, but will not be
	// affected by SNI customizations.
	Name string `json:",omitempty"`
}

DiscoveryTarget represents all of the inputs necessary to use a resolver config entry to execute a catalog query to generate a list of service instances during discovery.

func NewDiscoveryTarget added in v1.6.0

func NewDiscoveryTarget(service, serviceSubset, namespace, datacenter string) *DiscoveryTarget

func (*DiscoveryTarget) GetEnterpriseMetadata added in v1.7.0

func (t *DiscoveryTarget) GetEnterpriseMetadata() *EnterpriseMeta

func (*DiscoveryTarget) ServiceID added in v1.7.0

func (t *DiscoveryTarget) ServiceID() ServiceID

func (*DiscoveryTarget) String added in v1.6.0

func (t *DiscoveryTarget) String() string

type EnterpriseMeta added in v1.7.0

type EnterpriseMeta struct{}

EnterpriseMeta stub

func DefaultEnterpriseMeta added in v1.7.0

func DefaultEnterpriseMeta() *EnterpriseMeta

DefaultEnterpriseMeta stub

func NewEnterpriseMeta added in v1.10.0

func NewEnterpriseMeta(_ string) EnterpriseMeta

func ParseServiceIDString added in v1.7.0

func ParseServiceIDString(input string) (string, *EnterpriseMeta)

func ParseServiceNameString added in v1.8.0

func ParseServiceNameString(input string) (string, *EnterpriseMeta)

func ReplicationEnterpriseMeta added in v1.7.0

func ReplicationEnterpriseMeta() *EnterpriseMeta

ReplicationEnterpriseMeta stub

func WildcardEnterpriseMeta added in v1.7.0

func WildcardEnterpriseMeta() *EnterpriseMeta

WildcardEnterpriseMeta stub

func (*EnterpriseMeta) FillAuthzContext added in v1.7.0

func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.AuthorizerContext)

FillAuthzContext stub

func (*EnterpriseMeta) IsSame added in v1.7.0

func (m *EnterpriseMeta) IsSame(_ *EnterpriseMeta) bool

func (*EnterpriseMeta) LessThan added in v1.7.0

func (m *EnterpriseMeta) LessThan(_ *EnterpriseMeta) bool

func (*EnterpriseMeta) Matches added in v1.7.0

func (m *EnterpriseMeta) Matches(_ *EnterpriseMeta) bool

func (*EnterpriseMeta) Merge added in v1.7.0

func (m *EnterpriseMeta) Merge(_ *EnterpriseMeta)

func (*EnterpriseMeta) MergeNoWildcard added in v1.7.0

func (m *EnterpriseMeta) MergeNoWildcard(_ *EnterpriseMeta)

func (*EnterpriseMeta) NamespaceOrDefault added in v1.7.0

func (m *EnterpriseMeta) NamespaceOrDefault() string

func (*EnterpriseMeta) NamespaceOrEmpty added in v1.8.15

func (m *EnterpriseMeta) NamespaceOrEmpty() string

func (*EnterpriseMeta) Normalize added in v1.7.0

func (_ *EnterpriseMeta) Normalize()

type EventFireRequest

type EventFireRequest struct {
	Datacenter string
	Name       string
	Payload    []byte

	// Not using WriteRequest so that any server can process
	// the request. It is a bit unusual...
	QueryOptions
}

EventFireRequest is used to ask a server to fire a Serf event. It is a bit odd, since it doesn't depend on the catalog or leader. Any node can respond, so it's not quite like a standard write request. This is used only internally.

func (*EventFireRequest) RequestDatacenter

func (r *EventFireRequest) RequestDatacenter() string

type EventFireResponse

type EventFireResponse struct {
	QueryMeta
}

EventFireResponse is used to respond to a fire request.

type ExposeConfig added in v1.6.2

type ExposeConfig struct {
	// Checks defines whether paths associated with Consul checks will be exposed.
	// This flag triggers exposing all HTTP and GRPC check paths registered for the service.
	Checks bool `json:",omitempty"`

	// Paths is the list of paths exposed through the proxy.
	Paths []ExposePath `json:",omitempty"`
}

ExposeConfig describes HTTP paths to expose through Envoy outside of Connect. Users can expose individual paths and/or all HTTP/GRPC paths for checks.

func (ExposeConfig) Clone added in v1.7.9

func (e ExposeConfig) Clone() ExposeConfig

func (*ExposeConfig) Finalize added in v1.6.2

func (e *ExposeConfig) Finalize()

Finalize validates ExposeConfig and sets default values

func (*ExposeConfig) ToAPI added in v1.6.2

func (e *ExposeConfig) ToAPI() api.ExposeConfig

type ExposePath added in v1.6.2

type ExposePath struct {
	// ListenerPort defines the port of the proxy's listener for exposed paths.
	ListenerPort int `json:",omitempty" alias:"listener_port"`

	// Path is the path to expose through the proxy, ie. "/metrics."
	Path string `json:",omitempty"`

	// LocalPathPort is the port that the service is listening on for the given path.
	LocalPathPort int `json:",omitempty" alias:"local_path_port"`

	// Protocol describes the upstream's service protocol.
	// Valid values are "http" and "http2", defaults to "http"
	Protocol string `json:",omitempty"`

	// ParsedFromCheck is set if this path was parsed from a registered check
	ParsedFromCheck bool `json:",omitempty" alias:"parsed_from_check"`
}

func (*ExposePath) ToAPI added in v1.6.2

func (p *ExposePath) ToAPI() api.ExposePath

func (*ExposePath) UnmarshalJSON added in v1.6.2

func (t *ExposePath) UnmarshalJSON(data []byte) (err error)

type FederationState added in v1.8.0

type FederationState struct {
	// Datacenter is the name of the datacenter.
	Datacenter string

	// MeshGateways is a snapshot of the catalog state for all mesh gateways in
	// this datacenter.
	MeshGateways CheckServiceNodes `json:",omitempty"`

	// UpdatedAt keeps track of when this record was modified.
	UpdatedAt time.Time

	// PrimaryModifyIndex is the ModifyIndex of the original data as it exists
	// in the primary datacenter.
	PrimaryModifyIndex uint64

	// RaftIndex is local raft data.
	RaftIndex
}

FederationState defines some WAN federation related state that should be cross-shared between all datacenters joined on the WAN. One record exists per datacenter.

func (*FederationState) IsSame added in v1.8.0

func (c *FederationState) IsSame(other *FederationState) bool

IsSame is used to compare two federation states for the purposes of anti-entropy.

type FederationStateOp added in v1.8.0

type FederationStateOp string

FederationStateOp is the operation for a request related to federation states.

const (
	FederationStateUpsert FederationStateOp = "upsert"
	FederationStateDelete FederationStateOp = "delete"
)

type FederationStateQuery added in v1.8.0

type FederationStateQuery struct {
	// Datacenter is the target this request is intended for.
	Datacenter string

	// TargetDatacenter is the name of a datacenter to fetch the federation state for.
	TargetDatacenter string

	// Options for queries
	QueryOptions
}

FederationStateQuery is used to query federation states.

func (*FederationStateQuery) RequestDatacenter added in v1.8.0

func (c *FederationStateQuery) RequestDatacenter() string

RequestDatacenter returns the datacenter for a given request.

type FederationStateRequest added in v1.8.0

type FederationStateRequest struct {
	// Datacenter is the target for this request.
	Datacenter string

	// Op is the type of operation being requested.
	Op FederationStateOp

	// State is the federation state to upsert or in the case of a delete
	// only the State.Datacenter field should be set.
	State *FederationState

	// WriteRequest is a common struct containing ACL tokens and other
	// write-related common elements for requests.
	WriteRequest
}

FederationStateRequest is used to upsert and delete federation states.

func (*FederationStateRequest) RequestDatacenter added in v1.8.0

func (c *FederationStateRequest) RequestDatacenter() string

RequestDatacenter returns the datacenter for a given request.

type FederationStateResponse added in v1.8.0

type FederationStateResponse struct {
	State *FederationState
	QueryMeta
}

FederationStateResponse is the response to a FederationStateQuery request.

type FederationStates added in v1.8.0

type FederationStates []*FederationState

FederationStates is a list of federation states.

func (FederationStates) Sort added in v1.8.0

func (listings FederationStates) Sort()

Sort sorts federation states by their datacenter.

type GatewayService added in v1.8.0

type GatewayService struct {
	Gateway      ServiceName
	Service      ServiceName
	GatewayKind  ServiceKind
	Port         int      `json:",omitempty"`
	Protocol     string   `json:",omitempty"`
	Hosts        []string `json:",omitempty"`
	CAFile       string   `json:",omitempty"`
	CertFile     string   `json:",omitempty"`
	KeyFile      string   `json:",omitempty"`
	SNI          string   `json:",omitempty"`
	FromWildcard bool     `json:",omitempty"`
	RaftIndex
}

GatewayService is used to associate gateways with their linked services.

func (*GatewayService) Addresses added in v1.8.1

func (g *GatewayService) Addresses(defaultHosts []string) []string

func (*GatewayService) Clone added in v1.8.0

func (g *GatewayService) Clone() *GatewayService

func (*GatewayService) IsSame added in v1.8.0

func (g *GatewayService) IsSame(o *GatewayService) bool

type GatewayServices added in v1.8.0

type GatewayServices []*GatewayService

type GatewayTLSConfig added in v1.8.0

type GatewayTLSConfig struct {
	// Indicates that TLS should be enabled for this gateway service
	Enabled bool
}

type HashPolicy added in v1.9.0

type HashPolicy struct {
	// Field is the attribute type to hash on.
	// Must be one of "header","cookie", or "query_parameter".
	// Cannot be specified along with SourceIP.
	Field string `json:",omitempty"`

	// FieldValue is the value to hash.
	// ie. header name, cookie name, URL query parameter name
	// Cannot be specified along with SourceIP.
	FieldValue string `json:",omitempty" alias:"field_value"`

	// CookieConfig contains configuration for the "cookie" hash policy type.
	CookieConfig *CookieConfig `json:",omitempty" alias:"cookie_config"`

	// SourceIP determines whether the hash should be of the source IP rather than of a field and field value.
	// Cannot be specified along with Field or FieldValue.
	SourceIP bool `json:",omitempty" alias:"source_ip"`

	// Terminal will short circuit the computation of the hash when multiple hash policies are present.
	// If a hash is computed when a Terminal policy is evaluated,
	// then that hash will be used and subsequent hash policies will be ignored.
	Terminal bool `json:",omitempty"`
}

HashPolicy defines which attributes will be hashed by hash-based LB algorithms

type HealthCheck

type HealthCheck struct {
	Node        string
	CheckID     types.CheckID // Unique per-node ID
	Name        string        // Check name
	Status      string        // The current check status
	Notes       string        // Additional notes with the status
	Output      string        // Holds output of script runs
	ServiceID   string        // optional associated service
	ServiceName string        // optional service name
	ServiceTags []string      // optional service tags
	Type        string        // Check type: http/ttl/tcp/etc

	// ExposedPort is the port of the exposed Envoy listener representing the
	// HTTP or GRPC health check of the service.
	ExposedPort int

	Definition HealthCheckDefinition `bexpr:"-"`

	EnterpriseMeta `hcl:",squash" mapstructure:",squash" bexpr:"-"`

	RaftIndex `bexpr:"-"`
}

HealthCheck represents a single check on a given node.

func (*HealthCheck) CheckType added in v1.6.2

func (c *HealthCheck) CheckType() *CheckType

func (*HealthCheck) Clone

func (c *HealthCheck) Clone() *HealthCheck

Clone returns a distinct clone of the HealthCheck. Note that the "ServiceTags" and "Definition.Header" field are not deep copied.

func (*HealthCheck) CompoundCheckID added in v1.7.0

func (hc *HealthCheck) CompoundCheckID() CheckID

func (*HealthCheck) CompoundServiceID added in v1.7.0

func (hc *HealthCheck) CompoundServiceID() ServiceID

func (*HealthCheck) IsSame

func (c *HealthCheck) IsSame(other *HealthCheck) bool

IsSame checks if one HealthCheck is the same as another, without looking at the Raft information (that's why we didn't call it IsEqual). This is useful for seeing if an update would be idempotent for all the functional parts of the structure.

func (*HealthCheck) NodeIdentity added in v1.10.0

func (hc *HealthCheck) NodeIdentity() Identity

func (*HealthCheck) Validate added in v1.7.0

func (_ *HealthCheck) Validate() error

type HealthCheckDefinition added in v1.0.1

type HealthCheckDefinition struct {
	HTTP                           string              `json:",omitempty"`
	TLSServerName                  string              `json:",omitempty"`
	TLSSkipVerify                  bool                `json:",omitempty"`
	Header                         map[string][]string `json:",omitempty"`
	Method                         string              `json:",omitempty"`
	Body                           string              `json:",omitempty"`
	TCP                            string              `json:",omitempty"`
	H2PING                         string              `json:",omitempty"`
	Interval                       time.Duration       `json:",omitempty"`
	OutputMaxSize                  uint                `json:",omitempty"`
	Timeout                        time.Duration       `json:",omitempty"`
	DeregisterCriticalServiceAfter time.Duration       `json:",omitempty"`
	ScriptArgs                     []string            `json:",omitempty"`
	DockerContainerID              string              `json:",omitempty"`
	Shell                          string              `json:",omitempty"`
	GRPC                           string              `json:",omitempty"`
	GRPCUseTLS                     bool                `json:",omitempty"`
	AliasNode                      string              `json:",omitempty"`
	AliasService                   string              `json:",omitempty"`
	TTL                            time.Duration       `json:",omitempty"`
}

func (*HealthCheckDefinition) MarshalJSON added in v1.4.1

func (d *HealthCheckDefinition) MarshalJSON() ([]byte, error)

func (*HealthCheckDefinition) UnmarshalJSON added in v1.4.1

func (t *HealthCheckDefinition) UnmarshalJSON(data []byte) (err error)

type HealthChecks

type HealthChecks []*HealthCheck

HealthChecks is a collection of HealthCheck structs.

type Identity added in v1.10.0

type Identity struct {
	ID string
	EnterpriseMeta
}

Identity of some entity (ex: service, node, check).

TODO: this type should replace ServiceID, ServiceName, and CheckID which all have roughly identical implementations.

type IdentityCacheEntry added in v1.4.0

type IdentityCacheEntry struct {
	Identity  ACLIdentity
	CacheTime time.Time
}

func (*IdentityCacheEntry) Age added in v1.4.0

func (e *IdentityCacheEntry) Age() time.Duration

type IndexedACLs

type IndexedACLs struct {
	ACLs ACLs
	QueryMeta
}

IndexedACLs has tokens along with the Raft metadata about them.

type IndexedCARoots added in v1.2.0

type IndexedCARoots struct {
	// ActiveRootID is the ID of a root in Roots that is the active CA root.
	// Other roots are still valid if they're in the Roots list but are in
	// the process of being rotated out.
	ActiveRootID string

	// TrustDomain is the identification root for this Consul cluster. All
	// certificates signed by the cluster's CA must have their identifying URI in
	// this domain.
	//
	// This does not include the protocol (currently spiffe://) since we may
	// implement other protocols in future with equivalent semantics. It should be
	// compared against the "authority" section of a URI (i.e. host:port).
	//
	// We need to support migrating a cluster between trust domains to support
	// Multi-DC migration in Enterprise. In this case the current trust domain is
	// here but entries in Roots may also have ExternalTrustDomain set to a
	// non-empty value implying they were previous roots that are still trusted
	// but under a different trust domain.
	//
	// Note that we DON'T validate trust domain during AuthZ since it causes
	// issues of loss of connectivity during migration between trust domains. The
	// only time the additional validation adds value is where the cluster shares
	// an external root (e.g. organization-wide root) with another distinct Consul
	// cluster or PKI system. In this case, x509 Name Constraints can be added to
	// enforce that Consul's CA can only validly sign or trust certs within the
	// same trust-domain. Name constraints as enforced by TLS handshake also allow
	// seamless rotation between trust domains thanks to cross-signing.
	TrustDomain string

	// Roots is a list of root CA certs to trust.
	Roots []*CARoot

	// QueryMeta contains the meta sent via a header. We ignore for JSON
	// so this whole structure can be returned.
	QueryMeta `json:"-"`
}

IndexedCARoots is the list of currently trusted CA Roots.

type IndexedCheckServiceNodes

type IndexedCheckServiceNodes struct {
	Nodes CheckServiceNodes
	QueryMeta
}

type IndexedConfigEntries added in v1.5.0

type IndexedConfigEntries struct {
	Kind    string
	Entries []ConfigEntry
	QueryMeta
}

IndexedConfigEntries has its own encoding logic which differs from ConfigEntryRequest as it has to send a slice of ConfigEntry.

func (*IndexedConfigEntries) MarshalBinary added in v1.5.0

func (c *IndexedConfigEntries) MarshalBinary() (data []byte, err error)

func (*IndexedConfigEntries) UnmarshalBinary added in v1.5.0

func (c *IndexedConfigEntries) UnmarshalBinary(data []byte) error

type IndexedCoordinate

type IndexedCoordinate struct {
	Coord *coordinate.Coordinate
	QueryMeta
}

IndexedCoordinate is used to represent a single node's coordinate from the state store.

type IndexedCoordinates

type IndexedCoordinates struct {
	Coordinates Coordinates
	QueryMeta
}

IndexedCoordinates is used to represent a list of nodes and their corresponding raw coordinates.

type IndexedDirEntries

type IndexedDirEntries struct {
	Entries DirEntries
	QueryMeta
}

type IndexedFederationStates added in v1.8.0

type IndexedFederationStates struct {
	States FederationStates
	QueryMeta
}

IndexedFederationStates represents the list of all federation states.

type IndexedGatewayServices added in v1.8.0

type IndexedGatewayServices struct {
	Services GatewayServices
	QueryMeta
}

type IndexedGenericConfigEntries added in v1.5.0

type IndexedGenericConfigEntries struct {
	Entries []ConfigEntry
	QueryMeta
}

func (*IndexedGenericConfigEntries) MarshalBinary added in v1.5.0

func (c *IndexedGenericConfigEntries) MarshalBinary() (data []byte, err error)

func (*IndexedGenericConfigEntries) UnmarshalBinary added in v1.5.0

func (c *IndexedGenericConfigEntries) UnmarshalBinary(data []byte) error

type IndexedHealthChecks

type IndexedHealthChecks struct {
	HealthChecks HealthChecks
	QueryMeta
}

type IndexedIntentionMatches added in v1.2.0

type IndexedIntentionMatches struct {
	Matches []Intentions
	QueryMeta
}

IndexedIntentionMatches represents the list of matches for a match query.

type IndexedIntentions added in v1.2.0

type IndexedIntentions struct {
	Intentions Intentions

	// DataOrigin is used to indicate if this query was satisfied against the
	// old legacy intentions ("legacy") memdb table or via config entries
	// ("config"). This is really only of value for the legacy intention
	// replication routine to correctly detect that it should exit.
	DataOrigin string `json:"-"`
	QueryMeta
}

IndexedIntentions represents a list of intentions for RPC responses.

type IndexedKeyList

type IndexedKeyList struct {
	Keys []string
	QueryMeta
}

type IndexedNodeDump

type IndexedNodeDump struct {
	Dump NodeDump
	QueryMeta
}

type IndexedNodeServiceList added in v1.7.0

type IndexedNodeServiceList struct {
	NodeServices NodeServiceList
	QueryMeta
}

type IndexedNodeServices

type IndexedNodeServices struct {
	// TODO: This should not be a pointer, see comments in
	// agent/catalog_endpoint.go.
	NodeServices *NodeServices
	QueryMeta
}

type IndexedNodes

type IndexedNodes struct {
	Nodes Nodes
	QueryMeta
}

type IndexedNodesWithGateways added in v1.9.0

type IndexedNodesWithGateways struct {
	Nodes    CheckServiceNodes
	Gateways GatewayServices
	QueryMeta
}

type IndexedPreparedQueries

type IndexedPreparedQueries struct {
	Queries PreparedQueries
	QueryMeta
}

type IndexedServiceDump added in v1.8.0

type IndexedServiceDump struct {
	Dump ServiceDump
	QueryMeta
}

type IndexedServiceList added in v1.7.0

type IndexedServiceList struct {
	Services ServiceList
	QueryMeta
}

type IndexedServiceNodes

type IndexedServiceNodes struct {
	ServiceNodes ServiceNodes
	QueryMeta
}

type IndexedServiceTopology added in v1.9.0

type IndexedServiceTopology struct {
	ServiceTopology *ServiceTopology
	FilteredByACLs  bool
	QueryMeta
}

type IndexedServices

type IndexedServices struct {
	Services Services
	// In various situations we need to know the meta that the services are for - in particular
	// this is needed to be able to properly filter the list based on ACLs
	EnterpriseMeta
	QueryMeta
}

type IndexedSessions

type IndexedSessions struct {
	Sessions Sessions
	QueryMeta
}

type IngressGatewayConfigEntry added in v1.8.0

type IngressGatewayConfigEntry struct {
	// Kind of the config entry. This will be set to structs.IngressGateway.
	Kind string

	// Name is used to match the config entry with its associated ingress gateway
	// service. This should match the name provided in the service definition.
	Name string

	// TLS holds the TLS configuration for this gateway.
	TLS GatewayTLSConfig

	// Listeners declares what ports the ingress gateway should listen on, and
	// what services to associated to those ports.
	Listeners []IngressListener

	Meta           map[string]string `json:",omitempty"`
	EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
	RaftIndex
}

IngressGatewayConfigEntry manages the configuration for an ingress service with the given name.

func (*IngressGatewayConfigEntry) CanRead added in v1.8.0

func (e *IngressGatewayConfigEntry) CanRead(authz acl.Authorizer) bool

func (*IngressGatewayConfigEntry) CanWrite added in v1.8.0

func (e *IngressGatewayConfigEntry) CanWrite(authz acl.Authorizer) bool

func (*IngressGatewayConfigEntry) GetEnterpriseMeta added in v1.8.0

func (e *IngressGatewayConfigEntry) GetEnterpriseMeta() *EnterpriseMeta

func (*IngressGatewayConfigEntry) GetKind added in v1.8.0

func (e *IngressGatewayConfigEntry) GetKind() string

func (*IngressGatewayConfigEntry) GetMeta added in v1.8.4

func (e *IngressGatewayConfigEntry) GetMeta() map[string]string

func (*IngressGatewayConfigEntry) GetName added in v1.8.0

func (e *IngressGatewayConfigEntry) GetName() string

func (*IngressGatewayConfigEntry) GetRaftIndex added in v1.8.0

func (e *IngressGatewayConfigEntry) GetRaftIndex() *RaftIndex

func (*IngressGatewayConfigEntry) ListRelatedServices added in v1.8.4

func (e *IngressGatewayConfigEntry) ListRelatedServices() []ServiceID

ListRelatedServices implements discoveryChainConfigEntry

For ingress-gateway config entries this only finds services that are explicitly linked in the ingress-gateway config entry. Wildcards will not expand to all services.

This function is used during discovery chain graph validation to prevent erroneous sets of config entries from being created. Wildcard ingress filters out sets with protocol mismatch elsewhere so it isn't an issue here that needs fixing.

func (*IngressGatewayConfigEntry) Normalize added in v1.8.0

func (e *IngressGatewayConfigEntry) Normalize() error

func (*IngressGatewayConfigEntry) Validate added in v1.8.0

func (e *IngressGatewayConfigEntry) Validate() error

type IngressListener added in v1.8.0

type IngressListener struct {
	// Port declares the port on which the ingress gateway should listen for traffic.
	Port int

	// Protocol declares what type of traffic this listener is expected to
	// receive. Depending on the protocol, a listener might support multiplexing
	// services over a single port, or additional discovery chain features. The
	// current supported values are: (tcp | http | http2 | grpc).
	Protocol string

	// Services declares the set of services to which the listener forwards
	// traffic.
	//
	// For "tcp" protocol listeners, only a single service is allowed.
	// For "http" listeners, multiple services can be declared.
	Services []IngressService
}

type IngressService added in v1.8.0

type IngressService struct {
	// Name declares the service to which traffic should be forwarded.
	//
	// This can either be a specific service, or the wildcard specifier,
	// "*". If the wildcard specifier is provided, the listener must be of "http"
	// protocol and means that the listener will forward traffic to all services.
	//
	// A name can be specified on multiple listeners, and will be exposed on both
	// of the listeners
	Name string

	// Hosts is a list of hostnames which should be associated to this service on
	// the defined listener. Only allowed on layer 7 protocols, this will be used
	// to route traffic to the service by matching the Host header of the HTTP
	// request.
	//
	// If a host is provided for a service that also has a wildcard specifier
	// defined, the host will override the wildcard-specifier-provided
	// "<service-name>.*" domain for that listener.
	//
	// This cannot be specified when using the wildcard specifier, "*", or when
	// using a "tcp" listener.
	Hosts []string

	Meta           map[string]string `json:",omitempty"`
	EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
}

func (*IngressService) ToServiceName added in v1.8.0

func (s *IngressService) ToServiceName() ServiceName

type Intention added in v1.2.0

type Intention struct {
	// ID is the UUID-based ID for the intention, always generated by Consul.
	ID string `json:",omitempty"`

	// Description is a human-friendly description of this intention.
	// It is opaque to Consul and is only stored and transferred in API
	// requests.
	Description string `json:",omitempty"`

	// SourceNS, SourceName are the namespace and name, respectively, of
	// the source service. Either of these may be the wildcard "*", but only
	// the full value can be a wildcard. Partial wildcards are not allowed.
	// The source may also be a non-Consul service, as specified by SourceType.
	//
	// DestinationNS, DestinationName is the same, but for the destination
	// service. The same rules apply. The destination is always a Consul
	// service.
	SourceNS, SourceName           string
	DestinationNS, DestinationName string

	// SourceType is the type of the value for the source.
	SourceType IntentionSourceType

	// Action is whether this is an allowlist or denylist intention.
	Action IntentionAction `json:",omitempty"`

	// Permissions is the list of additional L7 attributes that extend the
	// intention definition.
	//
	// NOTE: This field is not editable unless editing the underlying
	// service-intentions config entry directly.
	Permissions []*IntentionPermission `bexpr:"-" json:",omitempty"`

	// DefaultAddr is not used.
	// Deprecated: DefaultAddr is not used and may be removed in a future version.
	DefaultAddr string `bexpr:"-" codec:",omitempty" json:",omitempty"`
	// DefaultPort is not used.
	// Deprecated: DefaultPort is not used and may be removed in a future version.
	DefaultPort int `bexpr:"-" codec:",omitempty" json:",omitempty"`

	// Meta is arbitrary metadata associated with the intention. This is
	// opaque to Consul but is served in API responses.
	Meta map[string]string `json:",omitempty"`

	// Precedence is the order that the intention will be applied, with
	// larger numbers being applied first. This is a read-only field, on
	// any intention update it is updated.
	Precedence int

	// CreatedAt and UpdatedAt keep track of when this record was created
	// or modified.
	CreatedAt, UpdatedAt time.Time `mapstructure:"-" bexpr:"-"`

	// Hash of the contents of the intention. This is only necessary for legacy
	// intention replication purposes.
	//
	// This is needed mainly for legacy replication purposes. When replicating
	// from one DC to another keeping the content Hash will allow us to detect
	// content changes more efficiently than checking every single field
	Hash []byte `bexpr:"-" json:",omitempty"`

	RaftIndex `bexpr:"-"`
}

Intention defines an intention for the Connect Service Graph. This defines the allowed or denied behavior of a connection between two services using Connect.

func TestIntention added in v1.2.0

func TestIntention(t testing.T) *Intention

TestIntention returns a valid, uninserted (no ID set) intention.

func (*Intention) CanRead added in v1.7.0

func (ixn *Intention) CanRead(authz acl.Authorizer) bool

func (*Intention) CanWrite added in v1.7.0

func (ixn *Intention) CanWrite(authz acl.Authorizer) bool

func (*Intention) Clone added in v1.9.0

func (t *Intention) Clone() *Intention

func (*Intention) DefaultNamespaces added in v1.7.0

func (ixn *Intention) DefaultNamespaces(_ *EnterpriseMeta)

DefaultNamespaces will populate both the SourceNS and DestinationNS fields if they are empty with the proper defaults.

func (*Intention) DestinationEnterpriseMeta added in v1.9.0

func (ixn *Intention) DestinationEnterpriseMeta() *EnterpriseMeta

func (*Intention) DestinationServiceName added in v1.9.0

func (x *Intention) DestinationServiceName() ServiceName

func (*Intention) FillAuthzContext added in v1.7.0

func (_ *Intention) FillAuthzContext(_ *acl.AuthorizerContext, _ bool)

FillAuthzContext can fill in an acl.AuthorizerContext object to setup extra parameters for ACL enforcement. In OSS there is currently nothing extra to be done.

func (*Intention) FillNonDefaultNamespaces added in v1.9.0

func (ixn *Intention) FillNonDefaultNamespaces(_ *EnterpriseMeta)

FillNonDefaultNamespaces will populate the SourceNS and DestinationNS fields if they are empty with the proper defaults, but only if the proper defaults are themselves not "default".

func (*Intention) HasWildcardDestination added in v1.10.0

func (t *Intention) HasWildcardDestination() bool

func (*Intention) HasWildcardSource added in v1.10.0

func (t *Intention) HasWildcardSource() bool

func (*Intention) LegacyEstimateSize deprecated added in v1.9.0

func (x *Intention) LegacyEstimateSize() int

LegacyEstimateSize returns an estimate (in bytes) of the size of this structure when encoded.

Deprecated: only exists for legacy intention replication during migration to 1.9.0+ cluster.

func (*Intention) MarshalJSON added in v1.9.0

func (t *Intention) MarshalJSON() ([]byte, error)

func (*Intention) SetHash deprecated added in v1.6.0

func (x *Intention) SetHash()

SetHash calculates Intention.Hash from any mutable "content" fields.

The Hash is primarily used for legacy intention replication to determine if an intention has changed and should be updated locally.

Deprecated: this is only used for legacy intention CRUD and replication

func (*Intention) SourceEnterpriseMeta added in v1.9.0

func (ixn *Intention) SourceEnterpriseMeta() *EnterpriseMeta

func (*Intention) SourceServiceName added in v1.9.0

func (x *Intention) SourceServiceName() ServiceName

func (*Intention) String added in v1.2.0

func (x *Intention) String() string

String returns a human-friendly string for this intention.

func (*Intention) ToConfigEntry added in v1.9.0

func (x *Intention) ToConfigEntry(legacy bool) *ServiceIntentionsConfigEntry

NOTE this is just used to manipulate user-provided data before an insert The RPC execution will do Normalize + Validate for us.

func (*Intention) ToExact added in v1.9.0

func (t *Intention) ToExact() *IntentionQueryExact

func (*Intention) ToSourceIntention added in v1.9.0

func (x *Intention) ToSourceIntention(legacy bool) *SourceIntention

func (*Intention) UnmarshalJSON added in v1.6.2

func (t *Intention) UnmarshalJSON(data []byte) (err error)

func (*Intention) UpdatePrecedence deprecated added in v1.2.0

func (x *Intention) UpdatePrecedence()

UpdatePrecedence sets the Precedence value based on the fields of this structure.

Deprecated: this is only used for legacy intention CRUD.

func (*Intention) Validate deprecated added in v1.2.0

func (x *Intention) Validate() error

Validate returns an error if the intention is invalid for inserting or updating via the legacy APIs.

Deprecated: this is only used for legacy intention CRUD

type IntentionAction added in v1.2.0

type IntentionAction string

IntentionAction is the action that the intention represents. This can be "allow" or "deny".

const (
	IntentionActionAllow IntentionAction = "allow"
	IntentionActionDeny  IntentionAction = "deny"
)

type IntentionDecisionSummary added in v1.9.0

type IntentionDecisionSummary struct {
	Allowed        bool
	HasPermissions bool
	ExternalSource string
	HasExact       bool
	DefaultAllow   bool
}

IntentionDecisionSummary contains a summary of a set of intentions between two services Currently contains: - Whether all actions are allowed - Whether the matching intention has L7 permissions attached - Whether the intention is managed by an external source like k8s - Whether there is an exact, or wildcard, intention referencing the two services - Whether ACLs are in DefaultAllow mode

type IntentionHTTPHeaderPermission added in v1.9.0

type IntentionHTTPHeaderPermission struct {
	Name    string
	Present bool   `json:",omitempty"`
	Exact   string `json:",omitempty"`
	Prefix  string `json:",omitempty"`
	Suffix  string `json:",omitempty"`
	Regex   string `json:",omitempty"`
	Invert  bool   `json:",omitempty"`
}

type IntentionHTTPPermission added in v1.9.0

type IntentionHTTPPermission struct {
	// PathExact, PathPrefix, and PathRegex are mutually exclusive.
	PathExact  string `json:",omitempty" alias:"path_exact"`
	PathPrefix string `json:",omitempty" alias:"path_prefix"`
	PathRegex  string `json:",omitempty" alias:"path_regex"`

	Header []IntentionHTTPHeaderPermission `json:",omitempty"`

	Methods []string `json:",omitempty"`
}

func (*IntentionHTTPPermission) Clone added in v1.9.0

type IntentionListRequest added in v1.9.0

type IntentionListRequest struct {
	Datacenter     string
	Legacy         bool `json:"-"`
	EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
	QueryOptions
}

func (*IntentionListRequest) RequestDatacenter added in v1.9.0

func (r *IntentionListRequest) RequestDatacenter() string

type IntentionMatchEntry added in v1.2.0

type IntentionMatchEntry struct {
	Namespace string
	Name      string
}

IntentionMatchEntry is a single entry for matching an intention.

func (*IntentionMatchEntry) FillAuthzContext added in v1.7.0

func (_ *IntentionMatchEntry) FillAuthzContext(_ *acl.AuthorizerContext)

FillAuthzContext can fill in an acl.AuthorizerContext object to setup extra parameters for ACL enforcement. In OSS there is currently nothing extra to be done.

func (*IntentionMatchEntry) GetEnterpriseMeta added in v1.9.0

func (e *IntentionMatchEntry) GetEnterpriseMeta() *EnterpriseMeta

type IntentionMatchType added in v1.2.0

type IntentionMatchType string

IntentionMatchType is the target for a match request. For example, matching by source will look for all intentions that match the given source value.

const (
	IntentionMatchSource      IntentionMatchType = "source"
	IntentionMatchDestination IntentionMatchType = "destination"
)

type IntentionMutation added in v1.9.0

type IntentionMutation struct {
	ID          string
	Destination ServiceName
	Source      ServiceName
	Value       *SourceIntention
}

type IntentionOp added in v1.2.0

type IntentionOp string

IntentionOp is the operation for a request related to intentions.

const (
	IntentionOpCreate    IntentionOp = "create"
	IntentionOpUpdate    IntentionOp = "update"
	IntentionOpDelete    IntentionOp = "delete"
	IntentionOpDeleteAll IntentionOp = "delete-all" // NOTE: this is only accepted when it comes from the leader, RPCs will reject this
	IntentionOpUpsert    IntentionOp = "upsert"     // config-entry only
)

type IntentionPermission added in v1.9.0

type IntentionPermission struct {
	Action IntentionAction // required: allow|deny

	HTTP *IntentionHTTPPermission `json:",omitempty"`
}

func (*IntentionPermission) Clone added in v1.9.0

type IntentionPrecedenceSorter added in v1.2.0

type IntentionPrecedenceSorter Intentions

IntentionPrecedenceSorter takes a list of intentions and sorts them based on the match precedence rules for intentions. The intentions closer to the head of the list have higher precedence. i.e. index 0 has the highest precedence.

func (IntentionPrecedenceSorter) Len added in v1.2.0

func (IntentionPrecedenceSorter) Less added in v1.2.0

func (s IntentionPrecedenceSorter) Less(i, j int) bool

func (IntentionPrecedenceSorter) Swap added in v1.2.0

func (s IntentionPrecedenceSorter) Swap(i, j int)

type IntentionQueryCheck added in v1.2.0

type IntentionQueryCheck struct {
	// SourceNS, SourceName, DestinationNS, and DestinationName are the
	// source and namespace, respectively, for the test. These must be
	// exact values.
	SourceNS, SourceName           string
	DestinationNS, DestinationName string

	// SourceType is the type of the value for the source.
	SourceType IntentionSourceType
}

IntentionQueryCheck are the parameters for performing a test request.

func (*IntentionQueryCheck) FillAuthzContext added in v1.7.0

func (_ *IntentionQueryCheck) FillAuthzContext(_ *acl.AuthorizerContext)

FillAuthzContext can fill in an acl.AuthorizerContext object to setup extra parameters for ACL enforcement. In OSS there is currently nothing extra to be done.

func (*IntentionQueryCheck) GetACLPrefix added in v1.2.0

func (q *IntentionQueryCheck) GetACLPrefix() (string, bool)

GetACLPrefix returns the prefix to look up the ACL policy for this request, and a boolean noting whether the prefix is valid to check or not. You must check the ok value before using the prefix.

type IntentionQueryCheckResponse added in v1.2.0

type IntentionQueryCheckResponse struct {
	Allowed bool
}

IntentionQueryCheckResponse is the response for a test request.