WI: ensure Consul hook and WID manager interpolate services #20344

tgross · 2024-04-09T19:21:20Z

Services can have some of their string fields interpolated. The new Workload Identity flow doesn't interpolate the services before requesting signed identities or using those identities to get Consul tokens.

Add support for interpolation to the WID manager and the Consul tokens hook by providing both with a taskenv builder. Add an "interpolate workload" field to the WI handle to allow passing the original workload name to the server so the server can find the correct service to sign.

This changeset also makes two related test improvements:

Remove the mock WID manager, which was only used in the Consul hook tests and isn't necessary so long as we provide the real WID manager with the mock signer and never call Run on it. It wasn't feasible to exercise the correct behavior without this refactor, as the mocks were bypassing the new code.
Fixed swapped expect-vs-actual assertions on the consul_hook tests.

Fixes: #20025

Smoke tested with the following jobspec:

jobspec

job "example" {

  group "web" {

    network {
      mode = "bridge"
      port "metrics" {
        to = 9000
      }
      port "www" {
        to = 8001
      }
    }

    service {
      name = "${NOMAD_GROUP_NAME}"
      port = "metrics"
    }

    task "http" {

      driver = "docker"

      service {
        name = "${NOMAD_TASK_NAME}"
        port = "www"
      }

      config {
        image   = "busybox:1"
        command = "httpd"
        args    = ["-vv", "-f", "-p", "8001", "-h", "/local"]
        ports   = ["www"]
      }

      resources {
        cpu    = 100
        memory = 100
      }

    }
  }
}

schmichael

The security implications of this do make me nervous. As you and @gulducat discussed offline there doesn't appear to be any immediate concern, but security issues often arise from unintended side effects down the road.

I wonder if we should deprecate this form of interpolation in this place in favor of HCL variables? I think an HCL variable with a default value could specify both the group and service names in a way that would make them static by the time they're submitted to Nomad. It would be nice to have a path away from this extremely buggy phased interpolation approach.

client/taskenv/services.go

schmichael · 2024-04-11T18:04:06Z

client/allocrunner/alloc_runner.go

@@ -285,8 +286,17 @@ func NewAllocRunner(config *config.AllocRunnerConfig) (interfaces.AllocRunner, e
 	ar.shutdownDelayCtx = shutdownDelayCtx
 	ar.shutdownDelayCancelFn = shutdownDelayCancel

+	// Create a *taskenv.Builder for the allocation so the WID manager can
+	// interpolate services with the allocation and tasks as needed
+	envBuilder := taskenv.NewBuilder(


This is the second time allocrunner uses taskenv.Builder in a unique way compared to taskrunner (nil Task, in the other place it's used in a closure). Might be nice to reevaluate the old Builder design to see if we can split up the alloc and task concerns and make it less dangerous to hold.

schmichael · 2024-04-11T18:06:00Z

client/widmgr/mock.go

@@ -113,35 +113,3 @@ func (m *MockWIDSigner) SignIdentities(minIndex uint64, req []*structs.WorkloadI
 	}
 	return swids, nil
 }
-
-// MockWIDMgr mocks IdentityManager interface allowing to only get identities


I love to see a mock removed!

tgross · 2024-04-11T18:39:37Z

I wonder if we should deprecate this form of interpolation in this place in favor of HCL variables? I think an HCL variable with a default value could specify both the group and service names in a way that would make them static by the time they're submitted to Nomad. It would be nice to have a path away from this extremely buggy phased interpolation approach.

I love this idea! Right now interpolation can include data that really is allocation-specific or node-specific, like node metadata or the IP address. But there's probably some subsets of fields that we could say "you're allowed to interpolate these fields with node metadata, and these fields only with HCL2". Being able to document which those are would be nice for users and for us developers. I'll open a new issue for that.

Services can have some of their string fields interpolated. The new Workload Identity flow doesn't interpolate the services before requesting signed identities or using those identities to get Consul tokens. Add support for interpolation to the WID manager and the Consul tokens hook by providing both with a taskenv builder. This changeset also makes two related test improvements: * Remove the mock WID manager, which was only used in the Consul hook tests and isn't necessary so long as we provide the real WID manager with the mock signer and never call `Run` on it. * Fixed swapped expect-vs-actual assertions on the `consul_hook` tests. Fixes: #20025

tgross · 2024-04-11T19:19:59Z

@schmichael I've opened #20362 to follow up on the design of interpolation more generally.

Services can have some of their string fields interpolated. The new Workload Identity flow doesn't interpolate the services before requesting signed identities or using those identities to get Consul tokens. Add support for interpolation to the WID manager and the Consul tokens hook by providing both with a taskenv builder. Add an "interpolate workload" field to the WI handle to allow passing the original workload name to the server so the server can find the correct service to sign. This changeset also makes two related test improvements: * Remove the mock WID manager, which was only used in the Consul hook tests and isn't necessary so long as we provide the real WID manager with the mock signer and never call `Run` on it. It wasn't feasible to exercise the correct behavior without this refactor, as the mocks were bypassing the new code. * Fixed swapped expect-vs-actual assertions on the `consul_hook` tests. Fixes: #20025

tgross added this to the 1.7.x milestone Apr 9, 2024

tgross added theme/workload-identity type/bug theme/consul backport/1.7.x backport to 1.7.x release line labels Apr 9, 2024

tgross force-pushed the b-consul-hook-interpolation branch from 18a9195 to a4799d1 Compare April 9, 2024 19:22

vercel bot deployed to Preview – nomad-storybook-and-ui April 9, 2024 19:26 View deployment

tgross force-pushed the b-consul-hook-interpolation branch from a4799d1 to 0978072 Compare April 9, 2024 19:26

vercel bot deployed to Preview – nomad-storybook-and-ui April 9, 2024 19:29 View deployment

tgross force-pushed the b-consul-hook-interpolation branch from 0978072 to c42dcec Compare April 9, 2024 19:43

tgross mentioned this pull request Apr 9, 2024

Variable Interpolation error with Consul Workload Identity #20025

Closed

vercel bot deployed to Preview – nomad-storybook-and-ui April 9, 2024 19:45 View deployment

tgross force-pushed the b-consul-hook-interpolation branch from c42dcec to 6c6fb45 Compare April 9, 2024 20:01

vercel bot deployed to Preview – nomad-storybook-and-ui April 9, 2024 20:04 View deployment

tgross force-pushed the b-consul-hook-interpolation branch from 6c6fb45 to e52660d Compare April 10, 2024 19:17

vercel bot deployed to Preview – nomad-storybook-and-ui April 10, 2024 19:19 View deployment

vercel bot deployed to Preview – nomad-storybook-and-ui April 10, 2024 21:06 View deployment

tgross force-pushed the b-consul-hook-interpolation branch from f0d5077 to 618dd62 Compare April 11, 2024 13:40

vercel bot deployed to Preview – nomad-storybook-and-ui April 11, 2024 13:43 View deployment

tgross force-pushed the b-consul-hook-interpolation branch from 618dd62 to c411b39 Compare April 11, 2024 14:49

vercel bot deployed to Preview – nomad-storybook-and-ui April 11, 2024 14:51 View deployment

tgross force-pushed the b-consul-hook-interpolation branch from c411b39 to e0a11e2 Compare April 11, 2024 15:37

vercel bot deployed to Preview – nomad-storybook-and-ui April 11, 2024 15:39 View deployment

tgross marked this pull request as ready for review April 11, 2024 15:55

tgross requested review from gulducat and pkazmierczak April 11, 2024 15:56

schmichael approved these changes Apr 11, 2024

View reviewed changes

tgross added 2 commits April 11, 2024 14:41

interpolate only the service name in the WI handle

de3943b

tgross force-pushed the b-consul-hook-interpolation branch from e0a11e2 to ab8f278 Compare April 11, 2024 18:49

vercel bot deployed to Preview – nomad-storybook-and-ui April 11, 2024 18:52 View deployment

require an env interpolation function for service.IdentityHandle

825efce

tgross force-pushed the b-consul-hook-interpolation branch from ab8f278 to 825efce Compare April 11, 2024 19:09

vercel bot deployed to Preview – nomad-storybook-and-ui April 11, 2024 19:12 View deployment

tgross mentioned this pull request Apr 11, 2024

deprecate client-side interpolation for known values in lieu of HCL2 #20362

Open

tgross merged commit d56e8ad into main Apr 11, 2024
19 checks passed

tgross deleted the b-consul-hook-interpolation branch April 11, 2024 19:40

hc-github-team-nomad-core mentioned this pull request Apr 11, 2024

Backport of WI: ensure Consul hook and WID manager interpolate services into release/1.7.x #20363

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WI: ensure Consul hook and WID manager interpolate services #20344

WI: ensure Consul hook and WID manager interpolate services #20344

tgross commented Apr 9, 2024 •

edited

Loading

schmichael left a comment

schmichael Apr 11, 2024

schmichael Apr 11, 2024

tgross commented Apr 11, 2024

tgross commented Apr 11, 2024

WI: ensure Consul hook and WID manager interpolate services #20344

WI: ensure Consul hook and WID manager interpolate services #20344

Conversation

tgross commented Apr 9, 2024 • edited Loading

schmichael left a comment

Choose a reason for hiding this comment

schmichael Apr 11, 2024

Choose a reason for hiding this comment

schmichael Apr 11, 2024

Choose a reason for hiding this comment

tgross commented Apr 11, 2024

tgross commented Apr 11, 2024

tgross commented Apr 9, 2024 •

edited

Loading