Add option to disable remote configuration

2023-10-20 01:00:59 +02:00 · 2023-10-20 01:00:59 +02:00 · 0540135996
parent 7ae1d4668e
commit 0540135996
5 changed files with 59 additions and 1 deletions
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@ -782,6 +782,12 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			EnvVars: []string{"TUNNEL_MANAGEMENT_DIAGNOSTICS"},
 			Value:   false,
 		}),
+		altsrc.NewBoolFlag(&cli.BoolFlag{
+			Name:    config.DisableRemoteConfigFlag,
+			Usage:   "Disables remote configuration from the edge",
+			EnvVars: []string{"TUNNEL_NO_REMOTE_CONFIG"},
+			Value:   false,
+		}),
 		selectProtocolFlag,
 		overwriteDNSFlag,
 	}...)
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -39,7 +39,7 @@ var (

 	secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}

-	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
+	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address", config.DisableRemoteConfigFlag}
 )

 func generateRandomClientID(log *zerolog.Logger) (string, error) {
@ -135,6 +135,15 @@ func prepareTunnelConfig(
 	transportProtocol := c.String("protocol")

 	clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
+	if c.Bool(config.DisableRemoteConfigFlag) {
+		log.Info().Msg("Remote configuration disabled")
+		for i, feature := range clientFeatures {
+			if feature == features.FeatureAllowRemoteConfig {
+				clientFeatures = append(clientFeatures[:i], clientFeatures[i+1:]...)
+				break
+			}
+		}
+	}

 	staticFeatures := features.StaticFeatures{}
 	if c.Bool("post-quantum") {
--- a/config/configuration.go
+++ b/config/configuration.go
@ -41,6 +41,9 @@ var (
 const (
 	// BastionFlag is to enable bastion, or jump host, operation
 	BastionFlag = "bastion"
+
+	// DisableRemoteConfigFlag is to disable remote configuration
+	DisableRemoteConfigFlag = "no-remote-config"
 )

 // DefaultConfigDirectory returns the default directory of the config file
--- a/orchestration/orchestrator.go
+++ b/orchestration/orchestrator.go
@ -17,6 +17,11 @@ import (
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )

+const (
+	// Get disableRemoteConfigFlag const from cloudflared/config as the package is later shadowed by a variable
+	disableRemoteConfigFlag = config.DisableRemoteConfigFlag
+)
+
 // Orchestrator manages configurations so they can be updatable during runtime
 // properties are static, so it can be read without lock
 // currentVersion and config are read/write infrequently, so their access are synchronized with RWMutex
@ -64,6 +69,15 @@ func (o *Orchestrator) UpdateConfig(version int32, config []byte) *tunnelpogs.Up
 	o.lock.Lock()
 	defer o.lock.Unlock()

+	if _, ok := o.config.ConfigurationFlags[disableRemoteConfigFlag]; ok {
+		o.log.Warn().
+			Int32("version", version).
+			Msg("Ignoring update because remote configuration is disabled")
+		return &tunnelpogs.UpdateConfigurationResponse{
+			LastAppliedVersion: o.currentVersion,
+		}
+	}
+
 	if o.currentVersion >= version {
 		o.log.Debug().
 			Int32("current_version", o.currentVersion).
--- a/orchestration/orchestrator_test.go
+++ b/orchestration/orchestrator_test.go
@ -222,6 +222,32 @@ func TestUpdateConfiguration_WithoutIngressRule(t *testing.T) {
 	require.Len(t, orchestrator.config.Ingress.Rules, 1)
 }

+// Validates that the configuration won't be updated if a locally managed tunnel with remote configuration disabled 
+// receives a configuration update from the remote.
+func TestUpdateConfigurationWithRemoteConfigDisabled(t *testing.T) {
+	initConfig := &Config{
+		Ingress: &ingress.Ingress{},
+		ConfigurationFlags: map[string]string{config.DisableRemoteConfigFlag: "true"},
+	}
+	orchestrator, err := NewOrchestrator(context.Background(), initConfig, testTags, []ingress.Rule{}, &testLogger)
+	require.NoError(t, err)
+
+	configJSONV1 := []byte(`
+{
+	"ingress": [
+		{
+			"service": "http_status:404"
+		}
+	],
+	"warp-routing": {
+	}
+}
+`)
+	resp := orchestrator.UpdateConfig(1, configJSONV1)
+	require.NoError(t, resp.Err)
+	require.Equal(t, int32(-1), resp.LastAppliedVersion)
+}
+
 // TestConcurrentUpdateAndRead makes sure orchestrator can receive updates and return origin proxy concurrently
 func TestConcurrentUpdateAndRead(t *testing.T) {
 	const (