Add option to disable remote configuration
This commit is contained in:
parent
7ae1d4668e
commit
0540135996
|
@ -782,6 +782,12 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
|
||||||
EnvVars: []string{"TUNNEL_MANAGEMENT_DIAGNOSTICS"},
|
EnvVars: []string{"TUNNEL_MANAGEMENT_DIAGNOSTICS"},
|
||||||
Value: false,
|
Value: false,
|
||||||
}),
|
}),
|
||||||
|
altsrc.NewBoolFlag(&cli.BoolFlag{
|
||||||
|
Name: config.DisableRemoteConfigFlag,
|
||||||
|
Usage: "Disables remote configuration from the edge",
|
||||||
|
EnvVars: []string{"TUNNEL_NO_REMOTE_CONFIG"},
|
||||||
|
Value: false,
|
||||||
|
}),
|
||||||
selectProtocolFlag,
|
selectProtocolFlag,
|
||||||
overwriteDNSFlag,
|
overwriteDNSFlag,
|
||||||
}...)
|
}...)
|
||||||
|
|
|
@ -39,7 +39,7 @@ var (
|
||||||
|
|
||||||
secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
|
secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
|
||||||
|
|
||||||
configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
|
configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address", config.DisableRemoteConfigFlag}
|
||||||
)
|
)
|
||||||
|
|
||||||
func generateRandomClientID(log *zerolog.Logger) (string, error) {
|
func generateRandomClientID(log *zerolog.Logger) (string, error) {
|
||||||
|
@ -135,6 +135,15 @@ func prepareTunnelConfig(
|
||||||
transportProtocol := c.String("protocol")
|
transportProtocol := c.String("protocol")
|
||||||
|
|
||||||
clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
|
clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
|
||||||
|
if c.Bool(config.DisableRemoteConfigFlag) {
|
||||||
|
log.Info().Msg("Remote configuration disabled")
|
||||||
|
for i, feature := range clientFeatures {
|
||||||
|
if feature == features.FeatureAllowRemoteConfig {
|
||||||
|
clientFeatures = append(clientFeatures[:i], clientFeatures[i+1:]...)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
staticFeatures := features.StaticFeatures{}
|
staticFeatures := features.StaticFeatures{}
|
||||||
if c.Bool("post-quantum") {
|
if c.Bool("post-quantum") {
|
||||||
|
|
|
@ -41,6 +41,9 @@ var (
|
||||||
const (
|
const (
|
||||||
// BastionFlag is to enable bastion, or jump host, operation
|
// BastionFlag is to enable bastion, or jump host, operation
|
||||||
BastionFlag = "bastion"
|
BastionFlag = "bastion"
|
||||||
|
|
||||||
|
// DisableRemoteConfigFlag is to disable remote configuration
|
||||||
|
DisableRemoteConfigFlag = "no-remote-config"
|
||||||
)
|
)
|
||||||
|
|
||||||
// DefaultConfigDirectory returns the default directory of the config file
|
// DefaultConfigDirectory returns the default directory of the config file
|
||||||
|
|
|
@ -17,6 +17,11 @@ import (
|
||||||
tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
|
tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// Get disableRemoteConfigFlag const from cloudflared/config as the package is later shadowed by a variable
|
||||||
|
disableRemoteConfigFlag = config.DisableRemoteConfigFlag
|
||||||
|
)
|
||||||
|
|
||||||
// Orchestrator manages configurations so they can be updatable during runtime
|
// Orchestrator manages configurations so they can be updatable during runtime
|
||||||
// properties are static, so it can be read without lock
|
// properties are static, so it can be read without lock
|
||||||
// currentVersion and config are read/write infrequently, so their access are synchronized with RWMutex
|
// currentVersion and config are read/write infrequently, so their access are synchronized with RWMutex
|
||||||
|
@ -64,6 +69,15 @@ func (o *Orchestrator) UpdateConfig(version int32, config []byte) *tunnelpogs.Up
|
||||||
o.lock.Lock()
|
o.lock.Lock()
|
||||||
defer o.lock.Unlock()
|
defer o.lock.Unlock()
|
||||||
|
|
||||||
|
if _, ok := o.config.ConfigurationFlags[disableRemoteConfigFlag]; ok {
|
||||||
|
o.log.Warn().
|
||||||
|
Int32("version", version).
|
||||||
|
Msg("Ignoring update because remote configuration is disabled")
|
||||||
|
return &tunnelpogs.UpdateConfigurationResponse{
|
||||||
|
LastAppliedVersion: o.currentVersion,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if o.currentVersion >= version {
|
if o.currentVersion >= version {
|
||||||
o.log.Debug().
|
o.log.Debug().
|
||||||
Int32("current_version", o.currentVersion).
|
Int32("current_version", o.currentVersion).
|
||||||
|
|
|
@ -222,6 +222,32 @@ func TestUpdateConfiguration_WithoutIngressRule(t *testing.T) {
|
||||||
require.Len(t, orchestrator.config.Ingress.Rules, 1)
|
require.Len(t, orchestrator.config.Ingress.Rules, 1)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Validates that the configuration won't be updated if a locally managed tunnel with remote configuration disabled
|
||||||
|
// receives a configuration update from the remote.
|
||||||
|
func TestUpdateConfigurationWithRemoteConfigDisabled(t *testing.T) {
|
||||||
|
initConfig := &Config{
|
||||||
|
Ingress: &ingress.Ingress{},
|
||||||
|
ConfigurationFlags: map[string]string{config.DisableRemoteConfigFlag: "true"},
|
||||||
|
}
|
||||||
|
orchestrator, err := NewOrchestrator(context.Background(), initConfig, testTags, []ingress.Rule{}, &testLogger)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
configJSONV1 := []byte(`
|
||||||
|
{
|
||||||
|
"ingress": [
|
||||||
|
{
|
||||||
|
"service": "http_status:404"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"warp-routing": {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`)
|
||||||
|
resp := orchestrator.UpdateConfig(1, configJSONV1)
|
||||||
|
require.NoError(t, resp.Err)
|
||||||
|
require.Equal(t, int32(-1), resp.LastAppliedVersion)
|
||||||
|
}
|
||||||
|
|
||||||
// TestConcurrentUpdateAndRead makes sure orchestrator can receive updates and return origin proxy concurrently
|
// TestConcurrentUpdateAndRead makes sure orchestrator can receive updates and return origin proxy concurrently
|
||||||
func TestConcurrentUpdateAndRead(t *testing.T) {
|
func TestConcurrentUpdateAndRead(t *testing.T) {
|
||||||
const (
|
const (
|
||||||
|
|
Loading…
Reference in New Issue