View Source
const (
	PrometheusDefaultRetentionTime = 24 * time.Hour
	UsageGaugeDefaultPeriod        = 10 * time.Minute
	MaximumGaugeCardinalityDefault = 500


View Source
var (
	ConfigureWrapper             = configureWrapper
	CreateSecureRandomReaderFunc = createSecureRandomReader
View Source
var GetAWSKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
	wrapper := awskms.NewWrapper(opts)
	wrapperInfo, err := wrapper.SetConfig(kms.Config)
	if err != nil {

		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
			return nil, nil, err
	info := make(map[string]string)
	if wrapperInfo != nil {
		info["AWS KMS Region"] = wrapperInfo["region"]
		info["AWS KMS KeyID"] = wrapperInfo["kms_key_id"]
		if endpoint, ok := wrapperInfo["endpoint"]; ok {
			info["AWS KMS Endpoint"] = endpoint
	return wrapper, info, nil
View Source
var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error) {
	wrapper := transit.NewWrapper(opts)
	wrapperInfo, err := wrapper.SetConfig(kms.Config)
	if err != nil {

		if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
			return nil, nil, err
	info := make(map[string]string)
	if wrapperInfo != nil {
		info["Transit Address"] = wrapperInfo["address"]
		info["Transit Mount Path"] = wrapperInfo["mount_path"]
		info["Transit Key Name"] = wrapperInfo["key_name"]
		if namespace, ok := wrapperInfo["namespace"]; ok {
			info["Transit Namespace"] = namespace
	return wrapper, info, nil


func EncryptDecrypt

func EncryptDecrypt(rawStr string, decrypt, strip bool, wrapper wrapping.Wrapper) (string, error)

func GetAEADKMSFunc

func GetAEADKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error)

func GetAliCloudKMSFunc

func GetAliCloudKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error)

func GetAzureKeyVaultKMSFunc

func GetAzureKeyVaultKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error)


func GetGCPCKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error)


func GetOCIKMSKMSFunc(opts *wrapping.WrapperOptions, kms *KMS) (wrapping.Wrapper, map[string]string, error)

func ParseEntropy

func ParseEntropy(result *SharedConfig, list *ast.ObjectList, blockName string) error

func ParseListeners

func ParseListeners(result *SharedConfig, list *ast.ObjectList) error

func SetupTelemetry

func SetupTelemetry(opts *SetupTelemetryOpts) (*metrics.InmemSink, *metricsutil.ClusterMetricSink, bool, error)

    SetupTelemetry is used to setup the telemetry sub-systems and returns the in-memory sink to be used in http configuration


    type EntSharedConfig

    type EntSharedConfig struct {

    func (*EntSharedConfig) ParseConfig

    func (ec *EntSharedConfig) ParseConfig(list *ast.ObjectList) error

    type Entropy

    type Entropy struct {
    	Mode EntropyMode

    type EntropyMode

    type EntropyMode int

      Entropy contains Entropy configuration for the server

      const (
      	EntropyUnknown EntropyMode = iota

      type KMS

      type KMS struct {
      	Type string
      	// Purpose can be used to allow a string-based specification of what this
      	// KMS is designated for, in situations where we want to allow more than
      	// one KMS to be specified
      	Purpose []string `hcl:"-"`
      	Disabled bool
      	Config   map[string]string

        KMS contains KMS configuration for the server

        func LoadConfigKMSes

        func LoadConfigKMSes(path string) ([]*KMS, error)

        func ParseKMSes

        func ParseKMSes(d string) ([]*KMS, error)

        func (*KMS) GoString

        func (k *KMS) GoString() string

        type Listener

        type Listener struct {
        	RawConfig map[string]interface{}
        	Type       string
        	Purpose    []string    `hcl:"-"`
        	PurposeRaw interface{} `hcl:"purpose"`
        	Address                 string        `hcl:"address"`
        	ClusterAddress          string        `hcl:"cluster_address"`
        	MaxRequestSize          int64         `hcl:"-"`
        	MaxRequestSizeRaw       interface{}   `hcl:"max_request_size"`
        	MaxRequestDuration      time.Duration `hcl:"-"`
        	MaxRequestDurationRaw   interface{}   `hcl:"max_request_duration"`
        	RequireRequestHeader    bool          `hcl:"-"`
        	RequireRequestHeaderRaw interface{}   `hcl:"require_request_header"`
        	TLSDisable                       bool        `hcl:"-"`
        	TLSDisableRaw                    interface{} `hcl:"tls_disable"`
        	TLSCertFile                      string      `hcl:"tls_cert_file"`
        	TLSKeyFile                       string      `hcl:"tls_key_file"`
        	TLSMinVersion                    string      `hcl:"tls_min_version"`
        	TLSCipherSuites                  []uint16    `hcl:"-"`
        	TLSCipherSuitesRaw               string      `hcl:"tls_cipher_suites"`
        	TLSPreferServerCipherSuites      bool        `hcl:"-"`
        	TLSPreferServerCipherSuitesRaw   interface{} `hcl:"tls_prefer_server_cipher_suites"`
        	TLSRequireAndVerifyClientCert    bool        `hcl:"-"`
        	TLSRequireAndVerifyClientCertRaw interface{} `hcl:"tls_require_and_verify_client_cert"`
        	TLSClientCAFile                  string      `hcl:"tls_client_ca_file"`
        	TLSDisableClientCerts            bool        `hcl:"-"`
        	TLSDisableClientCertsRaw         interface{} `hcl:"tls_disable_client_certs"`
        	HTTPReadTimeout          time.Duration `hcl:"-"`
        	HTTPReadTimeoutRaw       interface{}   `hcl:"http_read_timeout"`
        	HTTPReadHeaderTimeout    time.Duration `hcl:"-"`
        	HTTPReadHeaderTimeoutRaw interface{}   `hcl:"http_read_header_timeout"`
        	HTTPWriteTimeout         time.Duration `hcl:"-"`
        	HTTPWriteTimeoutRaw      interface{}   `hcl:"http_write_timeout"`
        	HTTPIdleTimeout          time.Duration `hcl:"-"`
        	HTTPIdleTimeoutRaw       interface{}   `hcl:"http_idle_timeout"`
        	ProxyProtocolBehavior           string                        `hcl:"proxy_protocol_behavior"`
        	ProxyProtocolAuthorizedAddrs    []*sockaddr.SockAddrMarshaler `hcl:"-"`
        	ProxyProtocolAuthorizedAddrsRaw interface{}                   `hcl:"proxy_protocol_authorized_addrs"`
        	XForwardedForAuthorizedAddrs        []*sockaddr.SockAddrMarshaler `hcl:"-"`
        	XForwardedForAuthorizedAddrsRaw     interface{}                   `hcl:"x_forwarded_for_authorized_addrs"`
        	XForwardedForHopSkips               int64                         `hcl:"-"`
        	XForwardedForHopSkipsRaw            interface{}                   `hcl:"x_forwarded_for_hop_skips"`
        	XForwardedForRejectNotPresent       bool                          `hcl:"-"`
        	XForwardedForRejectNotPresentRaw    interface{}                   `hcl:"x_forwarded_for_reject_not_present"`
        	XForwardedForRejectNotAuthorized    bool                          `hcl:"-"`
        	XForwardedForRejectNotAuthorizedRaw interface{}                   `hcl:"x_forwarded_for_reject_not_authorized"`
        	SocketMode  string `hcl:"socket_mode"`
        	SocketUser  string `hcl:"socket_user"`
        	SocketGroup string `hcl:"socket_group"`
        	Telemetry ListenerTelemetry `hcl:"telemetry"`
        	// RandomPort is used only for some testing purposes
        	RandomPort bool `hcl:"-"`
        	CorsEnabledRaw        interface{} `hcl:"cors_enabled"`
        	CorsEnabled           bool        `hcl:"-"`
        	CorsAllowedOrigins    []string    `hcl:"cors_allowed_origins"`
        	CorsAllowedHeaders    []string    `hcl:"-"`
        	CorsAllowedHeadersRaw []string    `hcl:"cors_allowed_headers"`

          Listener is the listener configuration for the server.

          func (*Listener) GoString

          func (l *Listener) GoString() string

          type ListenerTelemetry

          type ListenerTelemetry struct {
          	UnauthenticatedMetricsAccess    bool        `hcl:"-"`
          	UnauthenticatedMetricsAccessRaw interface{} `hcl:"unauthenticated_metrics_access"`

          type SetupTelemetryOpts

          type SetupTelemetryOpts struct {
          	Config      *Telemetry
          	Ui          cli.Ui
          	ServiceName string
          	DisplayName string
          	UserAgent   string
          	ClusterName string

          type SharedConfig

          type SharedConfig struct {
          	Listeners []*Listener `hcl:"-"`
          	Seals   []*KMS   `hcl:"-"`
          	Entropy *Entropy `hcl:"-"`
          	DisableMlock    bool        `hcl:"-"`
          	DisableMlockRaw interface{} `hcl:"disable_mlock"`
          	Telemetry *Telemetry `hcl:"telemetry"`
          	DefaultMaxRequestDuration    time.Duration `hcl:"-"`
          	DefaultMaxRequestDurationRaw interface{}   `hcl:"default_max_request_duration"`
          	// LogFormat specifies the log format. Valid values are "standard" and
          	// "json". The values are case-insenstive. If no log format is specified,
          	// then standard format will be used.
          	LogFormat string `hcl:"log_format"`
          	LogLevel  string `hcl:"log_level"`
          	PidFile string `hcl:"pid_file"`
          	ClusterName string `hcl:"cluster_name"`

            SharedConfig contains some shared values

            func LoadConfigFile

            func LoadConfigFile(path string) (*SharedConfig, error)

              LoadConfigFile loads the configuration from the given file.

              func ParseConfig

              func ParseConfig(d string) (*SharedConfig, error)

              func (*SharedConfig) Merge

              func (c *SharedConfig) Merge(c2 *SharedConfig) *SharedConfig

              func (*SharedConfig) Sanitized

              func (c *SharedConfig) Sanitized() map[string]interface{}

                Sanitized returns a copy of the config with all values that are considered sensitive stripped. It also strips all `*Raw` values that are mainly used for parsing.

                Specifically, the fields that this method strips are: - KMS.Config - Telemetry.CirconusAPIToken

                type Telemetry

                type Telemetry struct {
                	StatsiteAddr string `hcl:"statsite_address"`
                	StatsdAddr   string `hcl:"statsd_address"`
                	DisableHostname     bool   `hcl:"disable_hostname"`
                	EnableHostnameLabel bool   `hcl:"enable_hostname_label"`
                	MetricsPrefix       string `hcl:"metrics_prefix"`
                	UsageGaugePeriod    time.Duration
                	UsageGaugePeriodRaw interface{} `hcl:"usage_gauge_period"`
                	MaximumGaugeCardinality int `hcl:"maximum_gauge_cardinality"`
                	// CirconusAPIToken is a valid API Token used to create/manage check. If provided,
                	// metric management is enabled.
                	// Default: none
                	CirconusAPIToken string `hcl:"circonus_api_token"`
                	// CirconusAPIApp is an app name associated with API token.
                	// Default: "consul"
                	CirconusAPIApp string `hcl:"circonus_api_app"`
                	// CirconusAPIURL is the base URL to use for contacting the Circonus API.
                	// Default: ""
                	CirconusAPIURL string `hcl:"circonus_api_url"`
                	// CirconusSubmissionInterval is the interval at which metrics are submitted to Circonus.
                	// Default: 10s
                	CirconusSubmissionInterval string `hcl:"circonus_submission_interval"`
                	// CirconusCheckSubmissionURL is the check.config.submission_url field from a
                	// previously created HTTPTRAP check.
                	// Default: none
                	CirconusCheckSubmissionURL string `hcl:"circonus_submission_url"`
                	// CirconusCheckID is the check id (not check bundle id) from a previously created
                	// HTTPTRAP check. The numeric portion of the check._cid field.
                	// Default: none
                	CirconusCheckID string `hcl:"circonus_check_id"`
                	// CirconusCheckForceMetricActivation will force enabling metrics, as they are encountered,
                	// if the metric already exists and is NOT active. If check management is enabled, the default
                	// behavior is to add new metrics as they are encountered. If the metric already exists in the
                	// check, it will *NOT* be activated. This setting overrides that behavior.
                	// Default: "false"
                	CirconusCheckForceMetricActivation string `hcl:"circonus_check_force_metric_activation"`
                	// CirconusCheckInstanceID serves to uniquely identify the metrics coming from this "instance".
                	// It can be used to maintain metric continuity with transient or ephemeral instances as
                	// they move around within an infrastructure.
                	// Default: hostname:app
                	CirconusCheckInstanceID string `hcl:"circonus_check_instance_id"`
                	// CirconusCheckSearchTag is a special tag which, when coupled with the instance id, helps to
                	// narrow down the search results when neither a Submission URL or Check ID is provided.
                	// Default: service:app (e.g. service:consul)
                	CirconusCheckSearchTag string `hcl:"circonus_check_search_tag"`
                	// CirconusCheckTags is a comma separated list of tags to apply to the check. Note that
                	// the value of CirconusCheckSearchTag will always be added to the check.
                	// Default: none
                	CirconusCheckTags string `hcl:"circonus_check_tags"`
                	// CirconusCheckDisplayName is the name for the check which will be displayed in the Circonus UI.
                	// Default: value of CirconusCheckInstanceID
                	CirconusCheckDisplayName string `hcl:"circonus_check_display_name"`
                	// CirconusBrokerID is an explicit broker to use when creating a new check. The numeric portion
                	// of broker._cid. If metric management is enabled and neither a Submission URL nor Check ID
                	// is provided, an attempt will be made to search for an existing check using Instance ID and
                	// Search Tag. If one is not found, a new HTTPTRAP check will be created.
                	// Default: use Select Tag if provided, otherwise, a random Enterprise Broker associated
                	// with the specified API token or the default Circonus Broker.
                	// Default: none
                	CirconusBrokerID string `hcl:"circonus_broker_id"`
                	// CirconusBrokerSelectTag is a special tag which will be used to select a broker when
                	// a Broker ID is not provided. The best use of this is to as a hint for which broker
                	// should be used based on *where* this particular instance is running.
                	// (e.g. a specific geo location or datacenter, dc:sfo)
                	// Default: none
                	CirconusBrokerSelectTag string `hcl:"circonus_broker_select_tag"`
                	// Dogstats:
                	// DogStatsdAddr is the address of a dogstatsd instance. If provided,
                	// metrics will be sent to that instance
                	DogStatsDAddr string `hcl:"dogstatsd_addr"`
                	// DogStatsdTags are the global tags that should be sent with each packet to dogstatsd
                	// It is a list of strings, where each string looks like "my_tag_name:my_tag_value"
                	DogStatsDTags []string `hcl:"dogstatsd_tags"`
                	// Prometheus:
                	// PrometheusRetentionTime is the retention time for prometheus metrics if greater than 0.
                	// Default: 24h
                	PrometheusRetentionTime    time.Duration `hcl:"-"`
                	PrometheusRetentionTimeRaw interface{}   `hcl:"prometheus_retention_time"`
                	// Stackdriver:
                	// StackdriverProjectID is the project to publish stackdriver metrics to.
                	StackdriverProjectID string `hcl:"stackdriver_project_id"`
                	// StackdriverLocation is the GCP or AWS region of the monitored resource.
                	StackdriverLocation string `hcl:"stackdriver_location"`
                	// StackdriverNamespace is the namespace identifier, such as a cluster name.
                	StackdriverNamespace string `hcl:"stackdriver_namespace"`
                	// StackdriverDebugLogs will write additional stackdriver related debug logs to stderr.
                	StackdriverDebugLogs bool `hcl:"stackdriver_debug_logs"`

                  Telemetry is the telemetry configuration for the server

                  func (*Telemetry) GoString

                  func (t *Telemetry) GoString() string