hashicorp · boxofrad · Sep 21, 2022 · Sep 6, 2022 · Sep 9, 2022 · Sep 15, 2022
@@ -96,8 +96,3 @@ copy-bootstrap-config:
 .PHONY: unit-tests
 unit-tests:
 	go test ./...
-
-# TODO: Install dependencies before running this target
-.PHONY: consul-proto
-consul-proto:
-	buf generate "https://github.com/hashicorp/consul.git#branch=main,subdir=proto-public"
@@ -16,8 +16,16 @@ import (
 var (
 	printVersion bool
 
-	addresses string
-	grpcPort  int
+	addresses           string
+	grpcPort            int
+	serverWatchDisabled bool
+
+	tlsDisabled           bool
+	tlsCACertsPath        string
+	tlsServerName         string
+	tlsCertFile           string
+	tlsKeyFile            string
+	tlsInsecureSkipVerify bool
 
 	logLevel string
 	logJSON  bool
@@ -28,7 +36,15 @@ var (
 	namespace string
 	partition string
 
-	token string
+	credentialType       string
+	token                string
+	loginAuthMethod      string
+	loginNamespace       string
+	loginPartition       string
+	loginDatacenter      string
+	loginBearerToken     string
+	loginBearerTokenPath string
+	loginMeta            map[string]string
 
 	useCentralTelemetryConfig bool
 
@@ -53,6 +69,8 @@ func init() {
 
 	flag.IntVar(&grpcPort, "grpc-port", 8502, "gRPC port on Consul servers.")
 
+	flag.BoolVar(&serverWatchDisabled, "server-watch-disabled", false, "Setting this prevents consul-dataplane from consuming the server update stream. This is useful for situations where Consul servers are behind a load balancer.")
+
 	flag.StringVar(&logLevel, "log-level", "info", "Log level of the messages to print. "+
 		"Available log levels are \"trace\", \"debug\", \"info\", \"warn\", and \"error\".")
 
@@ -64,7 +82,15 @@ func init() {
 	flag.StringVar(&namespace, "service-namespace", "", "The Consul Enterprise namespace in which the proxy service instance is registered.")
 	flag.StringVar(&partition, "service-partition", "", "The Consul Enterprise partition in which the proxy service instance is registered.")
 
-	flag.StringVar(&token, "static-token", "", "The ACL token used to authenticate requests to Consul servers (when -login-method is set to static).")
+	flag.StringVar(&credentialType, "credential-type", "", "The type of credentials that will be used to authenticate with Consul servers (static or login).")
+	flag.StringVar(&token, "static-token", "", "The ACL token used to authenticate requests to Consul servers (when -credential-type is set to static).")
+	flag.StringVar(&loginAuthMethod, "login-auth-method", "", "The auth method that will be used to log in.")
+	flag.StringVar(&loginNamespace, "login-namespace", "", "The Consul Enterprise namespace containing the auth method.")
+	flag.StringVar(&loginPartition, "login-partition", "", "The Consul Enterprise partition containing the auth method.")
+	flag.StringVar(&loginDatacenter, "login-datacenter", "", "The datacenter containing the auth method.")
+	flag.StringVar(&loginBearerToken, "login-bearer-token", "", "The bearer token that will be presented to the auth method.")
+	flag.StringVar(&loginBearerTokenPath, "login-bearer-token-path", "", "The path to a file containing the bearer token that will be presented to the auth method.")
+	flag.Var((*FlagMapValue)(&loginMeta), "login-meta", "An arbitrary set of key/value pairs that will be attached to the ACL token (formatted as key=value, may be given multiple times).")
 
 	flag.BoolVar(&useCentralTelemetryConfig, "telemetry-use-central-config", true, "Controls whether the proxy will apply the central telemetry configuration.")
 
@@ -75,6 +101,13 @@ func init() {
 
 	flag.StringVar(&xdsBindAddr, "xds-bind-addr", "127.0.0.1", "The address on which the Envoy xDS server will be available.")
 	flag.IntVar(&xdsBindPort, "xds-bind-port", 0, "The port on which the Envoy xDS server will be available.")
+
+	flag.BoolVar(&tlsDisabled, "tls-disabled", false, "Communicate with Consul servers over a plaintext connection. Useful for testing, but not recommended for production.")
+	flag.StringVar(&tlsCACertsPath, "ca-certs", "", "The path to a file or directory containing CA certificates that will be used to verify the server's certificate.")
+	flag.StringVar(&tlsCertFile, "tls-cert", "", "The path to a client certificate file (only required if tls.grpc.verify_incoming is enabled on the server).")
+	flag.StringVar(&tlsKeyFile, "tls-key", "", "The path to a client private key file (only required if tls.grpc.verify_incoming is enabled on the server).")
+	flag.StringVar(&tlsServerName, "tls-server-name", "", "The hostname to expect in the server certificate's subject (required if -addresses isn't a DNS name).")
+	flag.BoolVar(&tlsInsecureSkipVerify, "tls-insecure-skip-verify", false, "Do not verify the server's certificate. Useful for testing, but not recommended for production.")
 }
 
 // validateFlags performs semantic validation of the flag values
@@ -102,9 +135,28 @@ func main() {
 			Addresses: addresses,
 			GRPCPort:  grpcPort,
 			Credentials: &consuldp.CredentialsConfig{
-				Static: &consuldp.StaticCredentialsConfig{
+				Type: consuldp.CredentialsType(credentialType),
+				Static: consuldp.StaticCredentialsConfig{
 					Token: token,
 				},
+				Login: consuldp.LoginCredentialsConfig{
+					AuthMethod:      loginAuthMethod,
+					Namespace:       loginNamespace,
+					Partition:       loginPartition,
+					Datacenter:      loginDatacenter,
+					BearerToken:     loginBearerToken,
+					BearerTokenPath: loginBearerTokenPath,
+					Meta:            loginMeta,
+				},
+			},
+			ServerWatchDisabled: serverWatchDisabled,
+			TLS: &consuldp.TLSConfig{
+				Disabled:           tlsDisabled,
+				CACertsPath:        tlsCACertsPath,
+				ServerName:         tlsServerName,
+				CertFile:           tlsCertFile,
+				KeyFile:            tlsKeyFile,
+				InsecureSkipVerify: tlsInsecureSkipVerify,
 			},
 		},
 		Service: &consuldp.ServiceConfig{

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"strings"
+)
+
+var _ flag.Value = (*FlagMapValue)(nil)
+
+// FlagMapValue is a flag implementation used to provide key=value semantics
+// multiple times.
+type FlagMapValue map[string]string
+
+func (h *FlagMapValue) String() string {
+	return fmt.Sprintf("%v", *h)
+}
+
+func (h *FlagMapValue) Set(value string) error {
+	idx := strings.Index(value, "=")
+	if idx == -1 {
+		return fmt.Errorf("Missing \"=\" value in argument: %s", value)
+	}
+
+	key, value := value[0:idx], value[idx+1:]
+
+	if *h == nil {
+		*h = make(map[string]string)
+	}
+
+	headers := *h
+	headers[key] = value
+	*h = headers
+
+	return nil
+}
@@ -0,0 +1,80 @@
+package main
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestFlagMapValueSet(t *testing.T) {
+	t.Parallel()
+
+	t.Run("missing =", func(t *testing.T) {
+
+		f := new(FlagMapValue)
+		if err := f.Set("foo"); err == nil {
+			t.Fatal("expected error, got nil")
+		}
+	})
+
+	t.Run("sets", func(t *testing.T) {
+
+		f := new(FlagMapValue)
+		if err := f.Set("foo=bar"); err != nil {
+			t.Fatal(err)
+		}
+
+		r, ok := (*f)["foo"]
+		if !ok {
+			t.Errorf("missing value: %#v", f)
+		}
+		if exp := "bar"; r != exp {
+			t.Errorf("expected %q to be %q", r, exp)
+		}
+	})
+
+	t.Run("sets multiple", func(t *testing.T) {
+
+		f := new(FlagMapValue)
+
+		r := map[string]string{
+			"foo": "bar",
+			"zip": "zap",
+			"cat": "dog",
+		}
+
+		for k, v := range r {
+			if err := f.Set(fmt.Sprintf("%s=%s", k, v)); err != nil {
+				t.Fatal(err)
+			}
+		}
+
+		for k, v := range r {
+			r, ok := (*f)[k]
+			if !ok {
+				t.Errorf("missing value %q: %#v", k, f)
+			}
+			if exp := v; r != exp {
+				t.Errorf("expected %q to be %q", r, exp)
+			}
+		}
+	})
+
+	t.Run("overwrites", func(t *testing.T) {
+
+		f := new(FlagMapValue)
+		if err := f.Set("foo=bar"); err != nil {
+			t.Fatal(err)
+		}
+		if err := f.Set("foo=zip"); err != nil {
+			t.Fatal(err)
+		}
+
+		r, ok := (*f)["foo"]
+		if !ok {
+			t.Errorf("missing value: %#v", f)
+		}
+		if exp := "zip"; r != exp {
+			t.Errorf("expected %q to be %q", r, exp)
+		}
+	})
+}
@@ -4,21 +4,27 @@ go 1.19
 
 require (
 	github.com/adamthesax/grpc-proxy v0.0.0-20220525203857-13e92d14f87a
+	github.com/hashicorp/consul/proto-public v0.1.0
 	github.com/hashicorp/go-hclog v1.2.2
-	github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46
+	github.com/hashicorp/go-rootcerts v1.0.2
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/stretchr/testify v1.8.0
 	google.golang.org/grpc v1.48.0
 	google.golang.org/protobuf v1.28.1
 )
 
 require (
+	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/uuid v1.1.2 // indirect
+	github.com/hashicorp/consul-server-connection-manager v0.0.0-20220908112242-b9f43f15d156 // indirect
+	github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/stretchr/objx v0.4.0 // indirect
 	golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect

@@ -4,6 +4,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/adamthesax/grpc-proxy v0.0.0-20220525203857-13e92d14f87a h1:8fjfNnk9RLn3F4R4XEljSOZARy1+h1f0KTh6xGFefjw=
 github.com/adamthesax/grpc-proxy v0.0.0-20220525203857-13e92d14f87a/go.mod h1:Aku9EjGILrB1V88F+yfJ8CaIVaKqDeWkW2vkCbY2WSA=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4=
+github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
@@ -51,21 +53,34 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/hashicorp/consul-server-connection-manager v0.0.0-20220908112242-b9f43f15d156 h1:fg/ocjUfyx6JXmYr/UL/OC5pbG1sPjWOF3jSQWvRGKc=
+github.com/hashicorp/consul-server-connection-manager v0.0.0-20220908112242-b9f43f15d156/go.mod h1:C3zdIuwQZ6GsU9jpc1iWr/+5UDgE/3p7UPGqTtvHqsY=
+github.com/hashicorp/consul/proto-public v0.1.0 h1:O0LSmCqydZi363hsqc6n2v5sMz3usQMXZF6ziK3SzXU=
+github.com/hashicorp/consul/proto-public v0.1.0/go.mod h1:vs2KkuWwtjkIgA5ezp4YKPzQp4GitV+q/+PvksrA92k=
+github.com/hashicorp/consul/sdk v0.11.0 h1:HRzj8YSCln2yGgCumN5CL8lYlD3gBurnervJRJAZyC4=
+github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM=
 github.com/hashicorp/go-hclog v1.2.2 h1:ihRI7YFwcZdiSD7SIenIhHfQH3OuDvWerAUBZbeQS3M=
 github.com/hashicorp/go-hclog v1.2.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46 h1:BysEAd6g+0HNJ0v99u7KbSObjzxC7rfVQ6yVx6HxrvU=
 github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46/go.mod h1:TjKbv4FhIra0YJ82mws5+4QXOhzv09eAWs4jtOBI4IU=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
+github.com/hashicorp/go-uuid v1.0.1 h1:fv1ep09latC32wFoVwnqcnKJGnMSdBanPczbHAYm1BE=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=