search

opensource-repos-with-issues / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Mozilla Public License 2.0
0 stars 0 forks source link

consul validate acts inconsistent on field names #2

Open arturo-aparicio opened 2 years ago

arturo-aparicio commented 2 years ago

Issue by selfscrum Sunday Jul 24, 2022 at 20:22 GMT Originally opened as https://github.com/hashicorp/consul/issues/13873

Overview of the Issue

Validation recommends to not use deprecated field names but fails when using the proposed ones.

root@nc-2:~# consul validate /etc/consul.d/consul.hcl
The 'ca_file' field is deprecated. Use the 'tls.defaults.ca_file' field instead.
The 'cert_file' field is deprecated. Use the 'tls.defaults.cert_file' field instead.
The 'key_file' field is deprecated. Use the 'tls.defaults.key_file' field instead.
The 'verify_incoming' field is deprecated. Use the 'tls.defaults.verify_incoming' field instead.
The 'verify_outgoing' field is deprecated. Use the 'tls.defaults.verify_outgoing' field instead.
The 'verify_server_hostname' field is deprecated. Use the 'tls.internal_rpc.verify_server_hostname' field instead.
Configuration is valid!

root@nc-2:~# consul validate /etc/consul.d/consul.hcl
Config validation failed: failed to parse /etc/consul.d/consul.hcl: 6 errors occurred:
        * invalid config key tls.internal_rpc.verify_server_hostname
        * invalid config key tls.defaults.verify_outgoing
        * invalid config key tls.defaults.verify_incoming
        * invalid config key tls.defaults.key_file
        * invalid config key tls.defaults.ca_file
        * invalid config key tls.defaults.cert_file

Reproduction Steps

I used this config in /etc/consul.d/consul.hcl: In first call without the tls... qualification then with them in call 2.

datacenter = "dc1"
data_dir = "/opt/consul"
encrypt = "<key here>"
tls.defaults.ca_file = "/etc/consul.d/consul-agent-ca.pem"
tls.defaults.cert_file = "/etc/consul.d/dc1-server-consul-2.pem"
tls.defaults.key_file = "/etc/consul.d/dc1-server-consul-2-key.pem"
tls.defaults.verify_incoming = true
tls.defaults.verify_outgoing = true
tls.internal_rpc.verify_server_hostname = true
retry_join = [" 10.0.0.3", "10.0.0.21", "10.0.0.22"]
bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr \"address\" }}"

acl = {
  enabled = true
  default_policy = "allow"
  enable_token_persistence = true
}

performance {
  raft_multiplier = 1
}

Consul info for both Client and Server

Consul v1.12.3 Revision 2308c75e

Operating system and Environment details

Ubuntu 20.04

arturo-aparicio commented 2 years ago

Comment by Amier3 Monday Jul 25, 2022 at 13:37 GMT

Hey @selfscrum

Thanks for bringing this to our attention. Looks like this might be related to https://github.com/hashicorp/consul/issues/13793 .

arturo-aparicio commented 2 years ago

Comment by jkirschner-hashicorp Monday Jul 25, 2022 at 15:31 GMT

Hi @selfscrum,

I see how the error message here can be misleading. Meaning: it says "use tls.defaults.ca_file", but when you do that, there's a validation error.

What is meant to be communicated is that each . represents a nested scope. So the config should look something like...

tls = {
  defaults = {
    ca_file = "/etc/consul.d/consul-agent-ca.pem"
    cert_file = "/etc/consul.d/dc1-server-consul-2.pem"
    key_file = "/etc/consul.d/dc1-server-consul-2-key.pem"
    verify_incoming = true
    verify_outgoing = true
  }
  internal_rpc = {
    verify_server_hostname = true
  }
}

Do you have any suggestions on what we could do differently in consul validate or the docs to help others avoid this confusion? Thanks for your help!

arturo-aparicio commented 2 years ago

Comment by selfscrum Monday Jul 25, 2022 at 15:41 GMT

Hi thanks, that's good to know. I actually created an HCL config, not a JSON one. How would that nested hierarchy be represented? I know from other systems that the nested structure is flattend as I did erronously.

I think a brief description of JSON vs HCL in the documentation and how to read both side-by-side would be sufficient. Then you could just refer back to the doc details in the executable.

So, for me the only question is now how should I map this properly in HCL? Thanks :)

arturo-aparicio commented 2 years ago

Comment by jkirschner-hashicorp Monday Jul 25, 2022 at 15:44 GMT

Flattening was a very reasonable assumption to make!

I think the config snippet above should work for HCL (though there's a small chance I made a mistake - best to run it through consul validate!)

You already have a working example for "acl.enabled" in your config file, for example. It uses that same pattern:

acl = {
  enabled = true
}
arturo-aparicio commented 2 years ago

Comment by selfscrum Monday Jul 25, 2022 at 15:45 GMT

but then tls.defaults.ca_file should have worked?

arturo-aparicio commented 2 years ago

Comment by selfscrum Monday Jul 25, 2022 at 15:46 GMT

ah no ok got it. you mean I do nested blocks as well