consul: include admin partition in JWT login requests #22226
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Our unit tests can't really exercise this area of code well, but the E2E tests here exercise this code for Consul CE and make sure we don't break the use case where no partition has been set. I've successfully end-to-end tested this with Consul Enterprise with the following setup. Nomad server agent Consul configconsul {
token = "redacted"
allow_unauthenticated = true
service_identity {
aud = ["consul.io"]
ttl = "1h"
}
task_identity {
aud = ["consul.io"]
ttl = "1h"
}
}Nomad client agent Consul configconsul {
token = "redacted"
allow_unauthenticated = true
}setupauth config file {
"JWKSURL": "http://10.37.105.3:4646/.well-known/jwks.json",
"JWTSupportedAlgs": ["RS256"],
"BoundAudiences": ["consul.io"],
"ClaimMappings": {
"consul_namespace": "consul_namespace",
"nomad_namespace": "nomad_namespace",
"nomad_job_id": "nomad_job_id",
"nomad_task": "nomad_task",
"nomad_service": "nomad_service"
}
}task policy file key_prefix "nomad/" {
policy = "read"
}
service_prefix "" {
policy = "read"
}setup script #!/usr/bin/env bash
set -e
consul partition create -name dev
nomad namespace apply foo
consul namespace create -partition dev -name foo
# create the auth method in the dev partition
consul acl auth-method create \
-name 'nomad-workloads' \
-type jwt \
-partition dev \
-description 'login method for Nomad workloads' \
-format json \
-namespace-rule-selector='' \
-namespace-rule-bind-namespace='${value.nomad_namespace}' \
-config "@consul-auth-method-config.json"
# create the task (templates) policy in the partition and namespace
consul acl policy create \
-partition dev \
-namespace foo \
-name workloads-policy-dev \
-rules "@consul-task-policy.hcl"
# create the role for tasks (templates) in the partition and namespace
consul acl role create \
-name "nomad-tasks-foo" \
-namespace foo \
-partition dev \
-description "role for Nomad workloads in foo namespace" \
-policy-name "workloads-policy-dev"
# create the binding rule for tasks (templates)
consul acl binding-rule create \
-method 'nomad-workloads' \
-partition dev \
-description 'binding rule for Nomad template workload identities (WI)' \
-bind-type role \
-bind-name 'nomad-tasks-${value.nomad_namespace}' \
-selector '"nomad_service" not in value'
# create the binding rule for services
consul acl binding-rule create \
-method 'nomad-workloads' \
-partition dev \
-description 'binding rule for Nomad workload identities (WI)' \
-bind-type service \
-bind-name '${value.nomad_service}' \
-selector '"nomad_service" in value'My test job requires both a service login and a task login. jobspecjob "example" {
group "web" {
network {
mode = "bridge"
port "www" {
to = 8001
}
}
service {
port = "www"
}
task "http" {
driver = "docker"
config {
image = "busybox:1"
command = "httpd"
args = ["-vv", "-f", "-p", "8001", "-h", "/local"]
ports = ["www"]
}
identity {
env = true
file = true
}
template {
data = "<html>hello, world</html>"
destination = "local/index.html"
}
resources {
cpu = 100
memory = 100
}
}
}
}
|
tgross
added
theme/consul
theme/workload-identity
type/bug
theme/enterprise
When logging into a JWT auth method, we need to explicitly supply the Consul admin partition if the local Consul agent is in a partition. We can't derive this from agent configuration because the Consul agent's configuration is canonical, so instead we get the partition from the fingerprint (if available). This changeset updates the Consul client constructor so that we close over the partition from the fingerprint. Ref: https://hashicorp.atlassian.net/browse/NET-9451
tgross
force-pushed
the
consul-partition-for-client
branch
from
583cc41 to
6f68109
Compare
pkazmierczak
approved these changes
May 24, 2024
| return nil, fmt.Errorf("nil consul config") | ||
| } | ||
| // ConsulClientFunc creates a new Consul client for the specific Consul config | ||
| type ConsulClientFunc func(config *config.ConsulConfig, logger hclog.Logger) (Client, error) |
There was a problem hiding this comment.
that's a nice refactoring 👌
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When logging into a JWT auth method, we need to explicitly supply the Consul admin partition if the local Consul agent is in a partition. We can't derive this from agent configuration because the Consul agent's configuration is canonical, so instead we get the partition from the fingerprint (if available). This changeset updates the Consul client constructor so that we close over the partition from the fingerprint.
Ref: https://hashicorp.atlassian.net/browse/NET-9451