-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sys/config: config state endpoint #7424
Merged
Merged
Changes from all commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
7a45f56
sys/config: initial work on adding config state endpoint
calvn 66afa3c
server/config: add tests, fix Sanitized method
calvn e612b78
thread config through NewTestCluster's config to avoid panic on dev m…
calvn 15f41ee
properly guard endpoint against request forwarding
calvn c4a9edb
add http tests, guard against panics on nil RawConfig
calvn 9cfbdb3
ensure non-nil rawConfig on NewTestCluster cores
calvn d1d2919
Merge remote-tracking branch 'origin/master' into sys-config-state
calvn 048961c
update non-forwarding logic
calvn 0813829
Merge remote-tracking branch 'origin/master' into sys-config-state
calvn 31c2454
fix imports; use no-forward handler
calvn 6567fac
add missing config test fixture; update gitignore
calvn 543f765
Merge remote-tracking branch 'origin/master' into sys-config-state
calvn 26fdcb5
return sanitized config as a map
calvn 7fef0b8
fix test, use deep.Equal to check for equality
calvn 66eb350
fix http test
calvn 507f708
Merge remote-tracking branch 'origin/master' into sys-config-state
calvn 95ab4e0
minor comment fix
calvn da85f38
config: change Sanitized to return snake-cased keys, update tests
calvn 219d6ee
Merge remote-tracking branch 'origin/master' into sys-config-state
calvn d5b5a9f
core: hold rlock when reading config; add docstring
calvn d62aa0f
update docstring
calvn 86a808c
Merge branch 'master' into sys-config-state
calvn File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
disable_cache = true | ||
disable_mlock = true | ||
|
||
ui = true | ||
|
||
api_addr = "top_level_api_addr" | ||
cluster_addr = "top_level_cluster_addr" | ||
|
||
listener "tcp" { | ||
address = "127.0.0.1:443" | ||
} | ||
|
||
backend "consul" { | ||
advertise_addr = "foo" | ||
token = "foo" | ||
} | ||
|
||
ha_backend "consul" { | ||
bar = "baz" | ||
advertise_addr = "snafu" | ||
disable_clustering = "true" | ||
token = "foo" | ||
} | ||
|
||
telemetry { | ||
statsd_address = "bar" | ||
circonus_api_token = "baz" | ||
} | ||
|
||
seal "awskms" { | ||
region = "us-east-1" | ||
access_key = "AKIAIOSFODNN7EXAMPLE" | ||
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | ||
} | ||
|
||
max_lease_ttl = "10h" | ||
default_lease_ttl = "10h" | ||
cluster_name = "testcluster" | ||
pid_file = "./pidfile" | ||
raw_storage_endpoint = true | ||
disable_sealwrap = true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels like stripping out Storage.Config is extreme. I understand that it's impractical to be more fine-grained in general, but our enterprise customers are mostly going to be using Consul and Raft. Can we special-case those and only strip out the truly sensitive config, e.g. consul token?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we were going to show certain values from Config, I think the safer approach would be to have an allow-list rather than a set of values to strip, as they could be easily overlooked/forgotten since it's better to forget adding a non-sensitive value than leaking a sensitive one. I started down this road initially, but stopped after realizing the numerous types of storage backends that we support and the number of fields that we'd need to include for each of those.
I think the cleaner approach would be to have a separate endpoint that displayed the complete configuration file params, including the Config map (and that could be included in the debug bundle in a future release), but didn't want to add this prematurely.