From b5ab897d1eaa4b4d6d2314959d8a6cbfe309c6b0 Mon Sep 17 00:00:00 2001 From: Seth Hoenig Date: Mon, 18 Nov 2019 15:05:06 -0600 Subject: [PATCH] command, docs: create and document consul token configuration for connect acls (gh-6716) This change provides an initial pass at setting up the configuration necessary to enable use of Connect with Consul ACLs. Operators will be able to pass in a Consul Token through `-consul-token` or `$CONSUL_TOKEN` in the `job run` and `job revert` commands (similar to Vault tokens). These values are not actually used yet in this changeset. --- api/jobs.go | 15 +++- api/jobs_test.go | 10 ++- command/agent/command.go | 5 ++ command/agent/config_parse_test.go | 39 ++++---- command/agent/config_test.go | 62 ++++++------- command/agent/job_endpoint.go | 1 + command/agent/job_endpoint_test.go | 6 +- command/agent/testdata/basic.hcl | 1 + command/agent/testdata/basic.json | 1 + command/job_revert.go | 17 +++- command/job_run.go | 24 ++++- jobspec/parse_job.go | 1 + jobspec/parse_test.go | 1 + jobspec/test-fixtures/bad-ports.hcl | 1 + jobspec/test-fixtures/basic.hcl | 1 + jobspec/test-fixtures/basic_wrong_key.hcl | 1 + .../test-fixtures/incorrect-service-def.hcl | 1 + jobspec/test-fixtures/overlapping-ports.hcl | 1 + nomad/structs/config/consul.go | 40 ++++++--- nomad/structs/config/consul_test.go | 89 +++++++++++++++++++ nomad/structs/config/vault.go | 9 +- nomad/structs/structs.go | 12 +++ website/source/api/jobs.html.md | 3 + .../docs/commands/job/revert.html.md.erb | 18 +++- .../source/docs/commands/job/run.html.md.erb | 9 ++ .../source/docs/configuration/consul.html.md | 6 ++ .../source/docs/job-specification/job.html.md | 10 +++ 27 files changed, 306 insertions(+), 78 deletions(-) diff --git a/api/jobs.go b/api/jobs.go index e12709143ae..c5b85a3164d 100644 --- a/api/jobs.go +++ b/api/jobs.go @@ -336,14 +336,15 @@ func (j *Jobs) Dispatch(jobID string, meta map[string]string, // enforceVersion is set, the job is only reverted if the current version is at // the passed version. func (j *Jobs) Revert(jobID string, version uint64, enforcePriorVersion *uint64, - q *WriteOptions, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) { + q *WriteOptions, consulToken, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) { var resp JobRegisterResponse req := &JobRevertRequest{ JobID: jobID, JobVersion: version, EnforcePriorVersion: enforcePriorVersion, - VaultToken: vaultToken, + // ConsulToken: consulToken, // TODO(shoenig) enable! + VaultToken: vaultToken, } wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/revert", req, &resp, q) if err != nil { @@ -670,6 +671,7 @@ type Job struct { Reschedule *ReschedulePolicy Migrate *MigrateStrategy Meta map[string]string + ConsulToken *string `mapstructure:"consul_token"` VaultToken *string `mapstructure:"vault_token"` Status *string StatusDescription *string @@ -722,6 +724,9 @@ func (j *Job) Canonicalize() { if j.AllAtOnce == nil { j.AllAtOnce = boolToPtr(false) } + if j.ConsulToken == nil { + j.ConsulToken = stringToPtr("") + } if j.VaultToken == nil { j.VaultToken = stringToPtr("") } @@ -966,6 +971,12 @@ type JobRevertRequest struct { // version before reverting. EnforcePriorVersion *uint64 + // ConsulToken is the Consul token that proves the submitter of the job revert + // has access to the Service Identity policies associated with the job's + // Consul Connect enabled services. This field is only used to transfer the + // token and is not stored after the Job revert. + ConsulToken string `json:",omitempty"` + // VaultToken is the Vault token that proves the submitter of the job revert // has access to any Vault policies specified in the targeted job version. This // field is only used to authorize the revert and is not stored after the Job diff --git a/api/jobs_test.go b/api/jobs_test.go index 9ec50395490..df4cb23628a 100644 --- a/api/jobs_test.go +++ b/api/jobs_test.go @@ -99,6 +99,7 @@ func TestJobs_Canonicalize(t *testing.T) { ParentID: stringToPtr(""), Priority: intToPtr(50), AllAtOnce: boolToPtr(false), + ConsulToken: stringToPtr(""), VaultToken: stringToPtr(""), Status: stringToPtr(""), StatusDescription: stringToPtr(""), @@ -186,6 +187,7 @@ func TestJobs_Canonicalize(t *testing.T) { ParentID: stringToPtr(""), Priority: intToPtr(50), AllAtOnce: boolToPtr(false), + ConsulToken: stringToPtr(""), VaultToken: stringToPtr(""), Status: stringToPtr(""), StatusDescription: stringToPtr(""), @@ -256,6 +258,7 @@ func TestJobs_Canonicalize(t *testing.T) { ParentID: stringToPtr("lol"), Priority: intToPtr(50), AllAtOnce: boolToPtr(false), + ConsulToken: stringToPtr(""), VaultToken: stringToPtr(""), Stop: boolToPtr(false), Stable: boolToPtr(false), @@ -416,6 +419,7 @@ func TestJobs_Canonicalize(t *testing.T) { Region: stringToPtr("global"), Type: stringToPtr("service"), AllAtOnce: boolToPtr(false), + ConsulToken: stringToPtr(""), VaultToken: stringToPtr(""), Stop: boolToPtr(false), Stable: boolToPtr(false), @@ -566,6 +570,7 @@ func TestJobs_Canonicalize(t *testing.T) { Type: stringToPtr("service"), Priority: intToPtr(50), AllAtOnce: boolToPtr(false), + ConsulToken: stringToPtr(""), VaultToken: stringToPtr(""), Stop: boolToPtr(false), Stable: boolToPtr(false), @@ -650,6 +655,7 @@ func TestJobs_Canonicalize(t *testing.T) { ParentID: stringToPtr("lol"), Priority: intToPtr(50), AllAtOnce: boolToPtr(false), + ConsulToken: stringToPtr(""), VaultToken: stringToPtr(""), Stop: boolToPtr(false), Stable: boolToPtr(false), @@ -846,13 +852,13 @@ func TestJobs_Revert(t *testing.T) { assertWriteMeta(t, wm) // Fail revert at incorrect enforce - _, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil, "") + _, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil, "", "") if err == nil || !strings.Contains(err.Error(), "enforcing version") { t.Fatalf("expected enforcement error: %v", err) } // Works at correct index - revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil, "") + revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil, "", "") if err != nil { t.Fatalf("err: %s", err) } diff --git a/command/agent/command.go b/command/agent/command.go index d90429211ae..8a886377cc9 100644 --- a/command/agent/command.go +++ b/command/agent/command.go @@ -155,6 +155,10 @@ func (c *Command) readConfig() *Config { return nil }), "consul-verify-ssl", "") flags.StringVar(&cmdConfig.Consul.Addr, "consul-address", "", "") + flags.Var((flaghelper.FuncBoolVar)(func(b bool) error { + cmdConfig.Consul.AllowUnauthenticated = &b + return nil + }), "consul-allow-unauthenticated", "") // Vault options flags.Var((flaghelper.FuncBoolVar)(func(b bool) error { @@ -560,6 +564,7 @@ func (c *Command) AutocompleteFlags() complete.Flags { "-consul-ssl": complete.PredictNothing, "-consul-verify-ssl": complete.PredictNothing, "-consul-address": complete.PredictAnything, + "-consul-token": complete.PredictAnything, "-vault-enabled": complete.PredictNothing, "-vault-allow-unauthenticated": complete.PredictNothing, "-vault-token": complete.PredictAnything, diff --git a/command/agent/config_parse_test.go b/command/agent/config_parse_test.go index 51368fd5d41..62d187698d1 100644 --- a/command/agent/config_parse_test.go +++ b/command/agent/config_parse_test.go @@ -151,25 +151,26 @@ var basicConfig = &Config{ DisableUpdateCheck: helper.BoolToPtr(true), DisableAnonymousSignature: true, Consul: &config.ConsulConfig{ - ServerServiceName: "nomad", - ServerHTTPCheckName: "nomad-server-http-health-check", - ServerSerfCheckName: "nomad-server-serf-health-check", - ServerRPCCheckName: "nomad-server-rpc-health-check", - ClientServiceName: "nomad-client", - ClientHTTPCheckName: "nomad-client-http-health-check", - Addr: "127.0.0.1:9500", - Token: "token1", - Auth: "username:pass", - EnableSSL: &trueValue, - VerifySSL: &trueValue, - CAFile: "/path/to/ca/file", - CertFile: "/path/to/cert/file", - KeyFile: "/path/to/key/file", - ServerAutoJoin: &trueValue, - ClientAutoJoin: &trueValue, - AutoAdvertise: &trueValue, - ChecksUseAdvertise: &trueValue, - Timeout: 5 * time.Second, + ServerServiceName: "nomad", + ServerHTTPCheckName: "nomad-server-http-health-check", + ServerSerfCheckName: "nomad-server-serf-health-check", + ServerRPCCheckName: "nomad-server-rpc-health-check", + ClientServiceName: "nomad-client", + ClientHTTPCheckName: "nomad-client-http-health-check", + Addr: "127.0.0.1:9500", + AllowUnauthenticated: &trueValue, + Token: "token1", + Auth: "username:pass", + EnableSSL: &trueValue, + VerifySSL: &trueValue, + CAFile: "/path/to/ca/file", + CertFile: "/path/to/cert/file", + KeyFile: "/path/to/key/file", + ServerAutoJoin: &trueValue, + ClientAutoJoin: &trueValue, + AutoAdvertise: &trueValue, + ChecksUseAdvertise: &trueValue, + Timeout: 5 * time.Second, }, Vault: &config.VaultConfig{ Addr: "127.0.0.1:9500", diff --git a/command/agent/config_test.go b/command/agent/config_test.go index 3ca459cda47..24126fd2cf1 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -159,21 +159,22 @@ func TestConfig_Merge(t *testing.T) { TLSServerName: "1", }, Consul: &config.ConsulConfig{ - ServerServiceName: "1", - ClientServiceName: "1", - AutoAdvertise: &falseValue, - Addr: "1", - Timeout: 1 * time.Second, - Token: "1", - Auth: "1", - EnableSSL: &falseValue, - VerifySSL: &falseValue, - CAFile: "1", - CertFile: "1", - KeyFile: "1", - ServerAutoJoin: &falseValue, - ClientAutoJoin: &falseValue, - ChecksUseAdvertise: &falseValue, + ServerServiceName: "1", + ClientServiceName: "1", + AutoAdvertise: &falseValue, + Addr: "1", + AllowUnauthenticated: &falseValue, + Timeout: 1 * time.Second, + Token: "1", + Auth: "1", + EnableSSL: &falseValue, + VerifySSL: &falseValue, + CAFile: "1", + CertFile: "1", + KeyFile: "1", + ServerAutoJoin: &falseValue, + ClientAutoJoin: &falseValue, + ChecksUseAdvertise: &falseValue, }, Autopilot: &config.AutopilotConfig{ CleanupDeadServers: &falseValue, @@ -333,21 +334,22 @@ func TestConfig_Merge(t *testing.T) { TLSServerName: "2", }, Consul: &config.ConsulConfig{ - ServerServiceName: "2", - ClientServiceName: "2", - AutoAdvertise: &trueValue, - Addr: "2", - Timeout: 2 * time.Second, - Token: "2", - Auth: "2", - EnableSSL: &trueValue, - VerifySSL: &trueValue, - CAFile: "2", - CertFile: "2", - KeyFile: "2", - ServerAutoJoin: &trueValue, - ClientAutoJoin: &trueValue, - ChecksUseAdvertise: &trueValue, + ServerServiceName: "2", + ClientServiceName: "2", + AutoAdvertise: &trueValue, + Addr: "2", + AllowUnauthenticated: &trueValue, + Timeout: 2 * time.Second, + Token: "2", + Auth: "2", + EnableSSL: &trueValue, + VerifySSL: &trueValue, + CAFile: "2", + CertFile: "2", + KeyFile: "2", + ServerAutoJoin: &trueValue, + ClientAutoJoin: &trueValue, + ChecksUseAdvertise: &trueValue, }, Sentinel: &config.SentinelConfig{ Imports: []*config.SentinelImport{ diff --git a/command/agent/job_endpoint.go b/command/agent/job_endpoint.go index 808e3ff1497..bd53d9d78fe 100644 --- a/command/agent/job_endpoint.go +++ b/command/agent/job_endpoint.go @@ -633,6 +633,7 @@ func ApiJobToStructJob(job *api.Job) *structs.Job { Datacenters: job.Datacenters, Payload: job.Payload, Meta: job.Meta, + ConsulToken: *job.ConsulToken, VaultToken: *job.VaultToken, Constraints: ApiConstraintsToStructs(job.Constraints), Affinities: ApiAffinitiesToStructs(job.Affinities), diff --git a/command/agent/job_endpoint_test.go b/command/agent/job_endpoint_test.go index 88deda125c8..41d08ca0ae4 100644 --- a/command/agent/job_endpoint_test.go +++ b/command/agent/job_endpoint_test.go @@ -1714,7 +1714,8 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) { }, }, }, - VaultToken: helper.StringToPtr("token"), + ConsulToken: helper.StringToPtr("abc123"), + VaultToken: helper.StringToPtr("def456"), Status: helper.StringToPtr("status"), StatusDescription: helper.StringToPtr("status_desc"), Version: helper.Uint64ToPtr(10), @@ -2060,7 +2061,8 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) { }, }, - VaultToken: "token", + ConsulToken: "abc123", + VaultToken: "def456", } structsJob := ApiJobToStructJob(apiJob) diff --git a/command/agent/testdata/basic.hcl b/command/agent/testdata/basic.hcl index 0f569b4878f..16db9d398b0 100644 --- a/command/agent/testdata/basic.hcl +++ b/command/agent/testdata/basic.hcl @@ -174,6 +174,7 @@ consul { client_service_name = "nomad-client" client_http_check_name = "nomad-client-http-health-check" address = "127.0.0.1:9500" + allow_unauthenticated = true token = "token1" auth = "username:pass" ssl = true diff --git a/command/agent/testdata/basic.json b/command/agent/testdata/basic.json index 22bb3a36c54..7adf2079bd4 100644 --- a/command/agent/testdata/basic.json +++ b/command/agent/testdata/basic.json @@ -111,6 +111,7 @@ "consul": [ { "address": "127.0.0.1:9500", + "allow_unauthenticated": true, "auth": "username:pass", "auto_advertise": true, "ca_file": "/path/to/ca/file", diff --git a/command/job_revert.go b/command/job_revert.go index 99d22f0365f..efc4b59cb68 100644 --- a/command/job_revert.go +++ b/command/job_revert.go @@ -31,9 +31,13 @@ Revert Options: the evaluation ID will be printed to the screen, which can be used to examine the evaluation using the eval-status command. + -consul-token + The Consul token used to verify that the caller has access to the Service + Identity policies associated in the targeted version of the job. + -vault-token The Vault token used to verify that the caller has access to the Vault - policies i the targeted version of the job. + policies in the targeted version of the job. -verbose Display full information. @@ -72,12 +76,13 @@ func (c *JobRevertCommand) Name() string { return "job revert" } func (c *JobRevertCommand) Run(args []string) int { var detach, verbose bool - var vaultToken string + var consulToken, vaultToken string flags := c.Meta.FlagSet(c.Name(), FlagSetClient) flags.Usage = func() { c.Ui.Output(c.Help()) } flags.BoolVar(&detach, "detach", false, "") flags.BoolVar(&verbose, "verbose", false, "") + flags.StringVar(&consulToken, "consul-token", "", "") flags.StringVar(&vaultToken, "vault-token", "", "") if err := flags.Parse(args); err != nil { @@ -105,6 +110,12 @@ func (c *JobRevertCommand) Run(args []string) int { return 1 } + // Parse the Consul token + if consulToken == "" { + // Check the environment variable + consulToken = os.Getenv("CONSUL_TOKEN") + } + // Parse the Vault token if vaultToken == "" { // Check the environment variable @@ -138,7 +149,7 @@ func (c *JobRevertCommand) Run(args []string) int { } // Prefix lookup matched a single job - resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, vaultToken) + resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, consulToken, vaultToken) if err != nil { c.Ui.Error(fmt.Sprintf("Error retrieving job versions: %s", err)) return 1 diff --git a/command/job_run.go b/command/job_run.go index cc6c5b92474..e9ccfeb4198 100644 --- a/command/job_run.go +++ b/command/job_run.go @@ -52,6 +52,10 @@ Alias: nomad run If the job has specified the region, the -region flag and NOMAD_REGION environment variable are overridden and the job's region is used. + The run command will set the consul_token of the job based on the following + precedence, going from highest to lowest: the -consul-token flag, the + $CONSUL_TOKEN environment variable and finally the value in the job file. + The run command will set the vault_token of the job based on the following precedence, going from highest to lowest: the -vault-token flag, the $VAULT_TOKEN environment variable and finally the value in the job file. @@ -82,6 +86,12 @@ Run Options: -policy-override Sets the flag to force override any soft mandatory Sentinel policies. + -consul-token + If set, the passed Consul token is stored in the job before sending to the + Nomad servers. This allows passing the Consul token without storing it in + the job file. This overrides the token found in $CONSUL_TOKEN environment + variable and that found in the job. + -vault-token If set, the passed Vault token is stored in the job before sending to the Nomad servers. This allows passing the Vault token without storing it in @@ -104,6 +114,7 @@ func (c *JobRunCommand) AutocompleteFlags() complete.Flags { "-check-index": complete.PredictNothing, "-detach": complete.PredictNothing, "-verbose": complete.PredictNothing, + "-consul-token": complete.PredictNothing, "-vault-token": complete.PredictAnything, "-output": complete.PredictNothing, "-policy-override": complete.PredictNothing, @@ -118,7 +129,7 @@ func (c *JobRunCommand) Name() string { return "job run" } func (c *JobRunCommand) Run(args []string) int { var detach, verbose, output, override bool - var checkIndexStr, vaultToken string + var checkIndexStr, consulToken, vaultToken string flags := c.Meta.FlagSet(c.Name(), FlagSetClient) flags.Usage = func() { c.Ui.Output(c.Help()) } @@ -127,6 +138,7 @@ func (c *JobRunCommand) Run(args []string) int { flags.BoolVar(&output, "output", false, "") flags.BoolVar(&override, "policy-override", false, "") flags.StringVar(&checkIndexStr, "check-index", "", "") + flags.StringVar(&consulToken, "consul-token", "", "") flags.StringVar(&vaultToken, "vault-token", "", "") if err := flags.Parse(args); err != nil { @@ -175,6 +187,16 @@ func (c *JobRunCommand) Run(args []string) int { periodic := job.IsPeriodic() paramjob := job.IsParameterized() + // Parse the Consul token + if consulToken == "" { + // Check the environment variable + consulToken = os.Getenv("CONSUL_TOKEN") + } + + if consulToken != "" { + job.ConsulToken = helper.StringToPtr(consulToken) + } + // Parse the Vault token if vaultToken == "" { // Check the environment variable diff --git a/jobspec/parse_job.go b/jobspec/parse_job.go index e4f75404b72..3a683005995 100644 --- a/jobspec/parse_job.go +++ b/jobspec/parse_job.go @@ -79,6 +79,7 @@ func parseJob(result *api.Job, list *ast.ObjectList) error { "update", "vault", "vault_token", + "consul_token", } if err := helper.CheckHCLKeys(listVal, valid); err != nil { return multierror.Prefix(err, "job:") diff --git a/jobspec/parse_test.go b/jobspec/parse_test.go index 9bac757df61..9bcb30b8cf3 100644 --- a/jobspec/parse_test.go +++ b/jobspec/parse_test.go @@ -31,6 +31,7 @@ func TestParse(t *testing.T) { Datacenters: []string{"us2", "eu1"}, Region: helper.StringToPtr("fooregion"), Namespace: helper.StringToPtr("foonamespace"), + ConsulToken: helper.StringToPtr("abc"), VaultToken: helper.StringToPtr("foo"), Meta: map[string]string{ diff --git a/jobspec/test-fixtures/bad-ports.hcl b/jobspec/test-fixtures/bad-ports.hcl index 4b163de4853..5efafb70d3b 100644 --- a/jobspec/test-fixtures/bad-ports.hcl +++ b/jobspec/test-fixtures/bad-ports.hcl @@ -4,6 +4,7 @@ job "binstore-storagelocker" { priority = 50 all_at_once = true datacenters = ["us2", "eu1"] + consul_token = "abc" vault_token = "foo" meta { diff --git a/jobspec/test-fixtures/basic.hcl b/jobspec/test-fixtures/basic.hcl index 19b8a596487..fcad99e2809 100644 --- a/jobspec/test-fixtures/basic.hcl +++ b/jobspec/test-fixtures/basic.hcl @@ -5,6 +5,7 @@ job "binstore-storagelocker" { priority = 52 all_at_once = true datacenters = ["us2", "eu1"] + consul_token = "abc" vault_token = "foo" meta { diff --git a/jobspec/test-fixtures/basic_wrong_key.hcl b/jobspec/test-fixtures/basic_wrong_key.hcl index b904d2a3a90..46acbdda68e 100644 --- a/jobspec/test-fixtures/basic_wrong_key.hcl +++ b/jobspec/test-fixtures/basic_wrong_key.hcl @@ -4,6 +4,7 @@ job "binstore-storagelocker" { priority = 50 all_at_once = true datacenters = ["us2", "eu1"] + consul_token = "abc" vault_token = "foo" meta { diff --git a/jobspec/test-fixtures/incorrect-service-def.hcl b/jobspec/test-fixtures/incorrect-service-def.hcl index 1b0470f45ee..981b5c8b094 100644 --- a/jobspec/test-fixtures/incorrect-service-def.hcl +++ b/jobspec/test-fixtures/incorrect-service-def.hcl @@ -4,6 +4,7 @@ job "binstore-storagelocker" { priority = 50 all_at_once = true datacenters = ["us2", "eu1"] + consul_token = "abc" vault_token = "foo" meta { diff --git a/jobspec/test-fixtures/overlapping-ports.hcl b/jobspec/test-fixtures/overlapping-ports.hcl index 29f43d63dee..56bc293029c 100644 --- a/jobspec/test-fixtures/overlapping-ports.hcl +++ b/jobspec/test-fixtures/overlapping-ports.hcl @@ -4,6 +4,7 @@ job "binstore-storagelocker" { priority = 50 all_at_once = true datacenters = ["us2", "eu1"] + consul_token = "abc" vault_token = "foo" meta { diff --git a/nomad/structs/config/consul.go b/nomad/structs/config/consul.go index a5df0762201..8772c9bc8c4 100644 --- a/nomad/structs/config/consul.go +++ b/nomad/structs/config/consul.go @@ -72,6 +72,11 @@ type ConsulConfig struct { // the agent's default token Token string `hcl:"token"` + // AllowUnauthenticated allows users to submit jobs requiring Consul + // Service Identity tokens without providing a Consul token proving they + // have access to such policies. + AllowUnauthenticated *bool `hcl:"allow_unauthenticated"` + // Auth is the information to use for http access to Consul agent Auth string `hcl:"auth"` @@ -115,17 +120,18 @@ type ConsulConfig struct { func DefaultConsulConfig() *ConsulConfig { def := consul.DefaultConfig() return &ConsulConfig{ - ServerServiceName: "nomad", - ServerHTTPCheckName: "Nomad Server HTTP Check", - ServerSerfCheckName: "Nomad Server Serf Check", - ServerRPCCheckName: "Nomad Server RPC Check", - ClientServiceName: "nomad-client", - ClientHTTPCheckName: "Nomad Client HTTP Check", - AutoAdvertise: helper.BoolToPtr(true), - ChecksUseAdvertise: helper.BoolToPtr(false), - ServerAutoJoin: helper.BoolToPtr(true), - ClientAutoJoin: helper.BoolToPtr(true), - Timeout: 5 * time.Second, + ServerServiceName: "nomad", + ServerHTTPCheckName: "Nomad Server HTTP Check", + ServerSerfCheckName: "Nomad Server Serf Check", + ServerRPCCheckName: "Nomad Server RPC Check", + ClientServiceName: "nomad-client", + ClientHTTPCheckName: "Nomad Client HTTP Check", + AutoAdvertise: helper.BoolToPtr(true), + ChecksUseAdvertise: helper.BoolToPtr(false), + ServerAutoJoin: helper.BoolToPtr(true), + ClientAutoJoin: helper.BoolToPtr(true), + AllowUnauthenticated: helper.BoolToPtr(true), + Timeout: 5 * time.Second, // From Consul api package defaults Addr: def.Address, @@ -135,6 +141,12 @@ func DefaultConsulConfig() *ConsulConfig { } } +// AllowsUnauthenticated returns whether the config allows unauthenticated +// creation of Consul Service Identity tokens for Consul Connect enabled Tasks. +func (a *ConsulConfig) AllowsUnauthenticated() bool { + return a.AllowUnauthenticated != nil && *a.AllowUnauthenticated +} + // Merge merges two Consul Configurations together. func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig { result := a.Copy() @@ -203,6 +215,9 @@ func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig { if b.ChecksUseAdvertise != nil { result.ChecksUseAdvertise = helper.BoolToPtr(*b.ChecksUseAdvertise) } + if b.AllowUnauthenticated != nil { + result.AllowUnauthenticated = helper.BoolToPtr(*b.AllowUnauthenticated) + } return result } @@ -289,6 +304,9 @@ func (c *ConsulConfig) Copy() *ConsulConfig { if nc.ClientAutoJoin != nil { nc.ClientAutoJoin = helper.BoolToPtr(*nc.ClientAutoJoin) } + if nc.AllowUnauthenticated != nil { + nc.AllowUnauthenticated = helper.BoolToPtr(*nc.AllowUnauthenticated) + } return nc } diff --git a/nomad/structs/config/consul_test.go b/nomad/structs/config/consul_test.go index afaa866193b..eb228814fd1 100644 --- a/nomad/structs/config/consul_test.go +++ b/nomad/structs/config/consul_test.go @@ -6,6 +6,7 @@ import ( "os" "os/exec" "testing" + "time" consulapi "github.com/hashicorp/consul/api" "github.com/stretchr/testify/assert" @@ -27,6 +28,94 @@ func TestMain(m *testing.M) { os.Exit(0) } +func TestConsulConfig_Merge(t *testing.T) { + yes, no := true, false + + c1 := &ConsulConfig{ + ServerServiceName: "1", + ServerHTTPCheckName: "1", + ServerSerfCheckName: "1", + ServerRPCCheckName: "1", + ClientServiceName: "1", + ClientHTTPCheckName: "1", + Tags: []string{"a", "1"}, + AutoAdvertise: &no, + ChecksUseAdvertise: &no, + Addr: "1", + GRPCAddr: "1", + Timeout: time.Duration(1), + TimeoutHCL: "1", + Token: "1", + AllowUnauthenticated: &no, + Auth: "1", + EnableSSL: &no, + VerifySSL: &no, + CAFile: "1", + CertFile: "1", + KeyFile: "1", + ServerAutoJoin: &no, + ClientAutoJoin: &no, + ExtraKeysHCL: []string{"a", "1"}, + } + + c2 := &ConsulConfig{ + ServerServiceName: "2", + ServerHTTPCheckName: "2", + ServerSerfCheckName: "2", + ServerRPCCheckName: "2", + ClientServiceName: "2", + ClientHTTPCheckName: "2", + Tags: []string{"b", "2"}, + AutoAdvertise: &yes, + ChecksUseAdvertise: &yes, + Addr: "2", + GRPCAddr: "2", + Timeout: time.Duration(2), + TimeoutHCL: "2", + Token: "2", + AllowUnauthenticated: &yes, + Auth: "2", + EnableSSL: &yes, + VerifySSL: &yes, + CAFile: "2", + CertFile: "2", + KeyFile: "2", + ServerAutoJoin: &yes, + ClientAutoJoin: &yes, + ExtraKeysHCL: []string{"b", "2"}, + } + + exp := &ConsulConfig{ + ServerServiceName: "2", + ServerHTTPCheckName: "2", + ServerSerfCheckName: "2", + ServerRPCCheckName: "2", + ClientServiceName: "2", + ClientHTTPCheckName: "2", + Tags: []string{"a", "1", "b", "2"}, + AutoAdvertise: &yes, + ChecksUseAdvertise: &yes, + Addr: "2", + GRPCAddr: "2", + Timeout: time.Duration(2), + TimeoutHCL: "2", + Token: "2", + AllowUnauthenticated: &yes, + Auth: "2", + EnableSSL: &yes, + VerifySSL: &yes, + CAFile: "2", + CertFile: "2", + KeyFile: "2", + ServerAutoJoin: &yes, + ClientAutoJoin: &yes, + ExtraKeysHCL: []string{"a", "1"}, // not merged + } + + result := c1.Merge(c2) + require.Equal(t, exp, result) +} + // TestConsulConfig_Defaults asserts Consul defaults are copied from their // upstream API package defaults. func TestConsulConfig_Defaults(t *testing.T) { diff --git a/nomad/structs/config/vault.go b/nomad/structs/config/vault.go index 67dd618d26b..3f229b6c9da 100644 --- a/nomad/structs/config/vault.go +++ b/nomad/structs/config/vault.go @@ -3,6 +3,7 @@ package config import ( "time" + "github.com/hashicorp/nomad/helper" vault "github.com/hashicorp/vault/api" ) @@ -84,11 +85,9 @@ type VaultConfig struct { // `vault` configuration. func DefaultVaultConfig() *VaultConfig { return &VaultConfig{ - Addr: "https://vault.service.consul:8200", - ConnectionRetryIntv: DefaultVaultConnectRetryIntv, - AllowUnauthenticated: func(b bool) *bool { - return &b - }(true), + Addr: "https://vault.service.consul:8200", + ConnectionRetryIntv: DefaultVaultConnectRetryIntv, + AllowUnauthenticated: helper.BoolToPtr(true), } } diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go index eb8ff2627ff..2fa3ed2f885 100644 --- a/nomad/structs/structs.go +++ b/nomad/structs/structs.go @@ -641,6 +641,12 @@ type JobRevertRequest struct { // version before reverting. EnforcePriorVersion *uint64 + // ConsulToken is the Consul token that proves the submitter of the job revert + // has access to the Service Identity policies associated with the job's + // Consul Connect enabled services. This field is only used to transfer the + // token and is not stored after the Job revert. + ConsulToken string + // VaultToken is the Vault token that proves the submitter of the job revert // has access to any Vault policies specified in the targeted job version. This // field is only used to transfer the token and is not stored after the Job @@ -3403,6 +3409,12 @@ type Job struct { // job. This is opaque to Nomad. Meta map[string]string + // ConsulToken is the Consul token that proves the submitter of the job has + // access to the Service Identity policies associated with the job's + // Consul Connect enabled services. This field is only used to transfer the + // token and is not stored after Job submission. + ConsulToken string + // VaultToken is the Vault token that proves the submitter of the job has // access to the specified Vault policies. This field is only used to // transfer the token and is not stored after Job submission. diff --git a/website/source/api/jobs.html.md b/website/source/api/jobs.html.md index d94271010be..cc5008beb2a 100644 --- a/website/source/api/jobs.html.md +++ b/website/source/api/jobs.html.md @@ -1302,6 +1302,9 @@ The table below shows this endpoint's support for job's version. This is checked and acts as a check-and-set value before reverting to the specified job. +- `ConsulToken` `(string:"")` - Optional value specifying the [consul token](/docs/commands/job/revert.html) + used for Consul [service identity polity authentication checking](/docs/configuration/consul.html#allow_unauthenticated). + - `VaultToken` `(string: "")` - Optional value specifying the [vault token](/docs/commands/job/revert.html) used for Vault [policy authentication checking](/docs/configuration/vault.html#allow_unauthenticated). diff --git a/website/source/docs/commands/job/revert.html.md.erb b/website/source/docs/commands/job/revert.html.md.erb index a4281257791..2dc4d16fb13 100644 --- a/website/source/docs/commands/job/revert.html.md.erb +++ b/website/source/docs/commands/job/revert.html.md.erb @@ -12,12 +12,19 @@ The `job revert` command is used to revert a job to a prior version of the job. The available versions to revert to can be found using [`job history`] command. +The revert command will use a Consul token with the following preference: +first the `-consul-token` flag, then the `$CONSUL_TOKEN` environment variable. +Because the consul token used to [run] the targeted job version was not +persisted, it must be provided to revert if the targeted job version includes +Consul Connect enabled services and the Nomad servers were configured to require +[consul service identity] authentication. + The revert command will use a Vault token with the following preference: first the `-vault-token` flag, then the `$VAULT_TOKEN` environment variable. Because the vault token used to [run] the targeted job version was not persisted, it must be provided to revert if the targeted job version includes -Vault policies and the Nomad servers were configured to -[require authentication]. +Vault policies and the Nomad servers were configured to require [vault policy] +authentication. ## Usage @@ -38,6 +45,10 @@ job to revert to. will be output, which can be used to examine the evaluation using the [eval status] command. +- `-consul-token`: If set, the passed Consul token is sent along with the revert + request to the Nomad servers. This overrides the token found in the + $CONSUL_TOKEN environment variable. + - `-vault-token`: If set, the passed Vault token is sent along with the revert request to the Nomad servers. This overrides the token found in the $VAULT_TOKEN environment variable. @@ -106,5 +117,6 @@ Submit Date = 07/25/17 21:27:18 UTC [`job history`]: /docs/commands/job/history.html [eval status]: /docs/commands/eval-status.html -[require authentication]: /docs/configuration/vault.html#allow_unauthenticated +[consul service identity]: /docs/configuration/consul.html#allow_unauthenticated +[vault policy]: /docs/configuration/vault.html#allow_unauthenticated [run]: /docs/commands/job/run.html diff --git a/website/source/docs/commands/job/run.html.md.erb b/website/source/docs/commands/job/run.html.md.erb index d9fad43ae8e..5ed89cbe09a 100644 --- a/website/source/docs/commands/job/run.html.md.erb +++ b/website/source/docs/commands/job/run.html.md.erb @@ -39,6 +39,10 @@ client connection issues or internal errors, are indicated by exit code 1. If the job has specified the region, the -region flag and NOMAD_REGION environment variable are overridden and the job's region is used. +The run command will set the `consul_token` of the job based on the following +precedence, going from highest to lowest: the `-consul-token` flag, the +`$CONSUL_TOKEN` environment variable and finally the value in the job file. + The run command will set the `vault_token` of the job based on the following precedence, going from highest to lowest: the `-vault-token` flag, the `$VAULT_TOKEN` environment variable and finally the value in the job file. @@ -66,6 +70,11 @@ precedence, going from highest to lowest: the `-vault-token` flag, the - `-policy-override`: Sets the flag to force override any soft mandatory Sentinel policies. +- `-consul-token`: If set, the passed Consul token is stored in the job before + sending to the Nomad servers. This allows passing the Consul token without + storing it in the job file. This overrides the token found in the $CONSUL_TOKEN + environment variable and that found in the job. + - `-vault-token`: If set, the passed Vault token is stored in the job before sending to the Nomad servers. This allows passing the Vault token without storing it in the job file. This overrides the token found in the $VAULT_TOKEN diff --git a/website/source/docs/configuration/consul.html.md b/website/source/docs/configuration/consul.html.md index 577281db9d6..e4344579db7 100644 --- a/website/source/docs/configuration/consul.html.md +++ b/website/source/docs/configuration/consul.html.md @@ -54,6 +54,12 @@ configuring Nomad to talk to Consul via DNS such as consul.service.consul format: `unix:///tmp/consul/consul.sock`. Will default to the `CONSUL_HTTP_ADDR` environment variable if set. +- `allow_unauthenticated` `(bool: true)` - Specifies if users submitting jobs to + the Nomad server should be required to provide their own Consul token, proving + they have access to the service identity policies required by the Consul Connect + enabled services listed in the job. This option should be + disabled in an untrusted environment. + - `auth` `(string: "")` - Specifies the HTTP Basic Authentication information to use for access to the Consul Agent, given in the format `username:password`. diff --git a/website/source/docs/job-specification/job.html.md b/website/source/docs/job-specification/job.html.md index 2edb2413fd6..d7355896e86 100644 --- a/website/source/docs/job-specification/job.html.md +++ b/website/source/docs/job-specification/job.html.md @@ -137,6 +137,16 @@ job "docs" { accidentally. Users should set the `VAULT_TOKEN` environment variable when running the job instead. +- `consul_token` `(string: "")` - Specifies the Consul token that proves the + submitter of the job has access to the Service Identity policies associated + with the job's Consul Connect enabled services. This field is only used to + transfer the token and is not stored after job submission. + + !> It is **strongly discouraged** to place the token as a configuration + parameter like this, since the token could be checked into source control + accidentally. Users should set the `CONSUL_TOKEN` environment variable when + running the job instead. + ## `job` Examples The following examples only show the `job` stanzas. Remember that the