Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documentation guide for Consul Connect with ACLs enabled #7057

Closed
schmichael opened this issue Feb 3, 2020 · 9 comments
Closed

Documentation guide for Consul Connect with ACLs enabled #7057

schmichael opened this issue Feb 3, 2020 · 9 comments
Assignees
Labels
theme/consul/connect Consul Connect integration theme/consul theme/docs Documentation issues and enhancements type/enhancement

Comments

@schmichael
Copy link
Member

Write a documentation guide for Consul Connect when Consul ACLs are enabled.

Followup from #6905

@schmichael schmichael added type/enhancement theme/docs Documentation issues and enhancements theme/consul theme/consul/connect Consul Connect integration labels Feb 3, 2020
@leptonyu
Copy link

Cloud you please write a simple one first?

@commarla
Copy link

I was a bit lost last week needed this doc but here are my notes :

  • enable gRPC on consul clients
  • add consul token in nomad config

I spent some time understanding we needed a consul token in nomad config to tell nomad to derive a SI token.

// Enable the Service Identity hook only if the Nomad client is configured

My token was in consul client config. I had to add one to nomad's config.

@leptonyu
Copy link

@commarla Thanks. I use master key, and it works.

Do you have some advices on how to specify the consul acl polices for nomad client?

@commarla
Copy link

@leptonyu I used this policy

agent_prefix "" {      
  policy = "read"    
}   
node_prefix "" {    
  policy = "write"    
}    
service_prefix "" {    
  policy = "write"  
}    
key_prefix "" {    
  policy = "read"    
}    
session_prefix "" {    
  policy = "write"    
} 
acl = "write"  

I added acl = "write" because the derived token should be able to create ACL for Service Identity (I think ...).

It's working and I (like you) waiting for the official documentation.

@leptonyu
Copy link

You're right. acl need to turn on 'write'. But it's not good.

My working policy is this.

acl = "write"
key_prefix "nomad/" { policy = "write" }
node_prefix "" { policy = "read" }
agent_prefix "" { policy = "read" }
service_prefix "" { policy = "write" }

@sriyer
Copy link

sriyer commented Mar 18, 2020

acl need to turn on 'write'. But it's not good.

agree! ... these tokens are part of nomad config and unless that is secure, any one can create a management token out of it!

@shoenig
Copy link
Member

shoenig commented Apr 10, 2020

With massive thanks for efforts from @angrycub, we have a guide!
https://learn.hashicorp.com/nomad/consul-integration/nomad-connect-acl

@shoenig shoenig closed this as completed Apr 10, 2020
@angrycub
Copy link
Contributor

h/t to @spuder and @skipperza for their work with rough cuts of the guide and for all the awesome feedback.

@github-actions
Copy link

github-actions bot commented Nov 9, 2022

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
theme/consul/connect Consul Connect integration theme/consul theme/docs Documentation issues and enhancements type/enhancement
Projects
None yet
Development

No branches or pull requests

6 participants