consul/connect: implement initial support for connect native #8011
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,221 @@ | ||
| package taskrunner | ||
|
|
||
| import ( | ||
| "context" | ||
| "io" | ||
| "io/ioutil" | ||
| "os" | ||
| "path/filepath" | ||
|
|
||
| hclog "github.com/hashicorp/go-hclog" | ||
| ifs "github.com/hashicorp/nomad/client/allocrunner/interfaces" | ||
| "github.com/hashicorp/nomad/nomad/structs" | ||
| "github.com/hashicorp/nomad/nomad/structs/config" | ||
| "github.com/pkg/errors" | ||
| ) | ||
|
|
||
| const ( | ||
| connectNativeHookName = "connect_native" | ||
| ) | ||
|
|
||
| type connectNativeHookConfig struct { | ||
| consulShareTLS bool | ||
| consul consulTransportConfig | ||
| alloc *structs.Allocation | ||
| logger hclog.Logger | ||
| } | ||
|
|
||
| func newConnectNativeHookConfig(alloc *structs.Allocation, consul *config.ConsulConfig, logger hclog.Logger) *connectNativeHookConfig { | ||
| return &connectNativeHookConfig{ | ||
| alloc: alloc, | ||
| logger: logger, | ||
| consulShareTLS: consul.ShareSSL == nil || *consul.ShareSSL, // default enabled | ||
| consul: newConsulTransportConfig(consul), | ||
| } | ||
| } | ||
|
|
||
| // connectNativeHook manages additional automagic configuration for a connect | ||
| // native task. | ||
| // | ||
| // If nomad client is configured to talk to Consul using TLS (or other special | ||
| // auth), the native task will inherit that configuration EXCEPT for the consul | ||
| // token. | ||
| // | ||
| // If consul is configured with ACLs enabled, a Service Identity token will be | ||
| // generated on behalf of the native service and supplied to the task. | ||
| type connectNativeHook struct { | ||
| // alloc is the allocation with the connect native task being run | ||
| alloc *structs.Allocation | ||
|
|
||
| // consulShareTLS is used to toggle whether the TLS configuration of the | ||
| // Nomad Client may be shared with Connect Native applications. | ||
| consulShareTLS bool | ||
|
|
||
| // consulConfig is used to enable the connect native enabled task to | ||
| // communicate with consul directly, as is necessary for the task to request | ||
| // its connect mTLS certificates. | ||
| consulConfig consulTransportConfig | ||
|
|
||
| // logger is used to log things | ||
| logger hclog.Logger | ||
| } | ||
|
|
||
| func newConnectNativeHook(c *connectNativeHookConfig) *connectNativeHook { | ||
| return &connectNativeHook{ | ||
| alloc: c.alloc, | ||
| consulShareTLS: c.consulShareTLS, | ||
| consulConfig: c.consul, | ||
| logger: c.logger.Named(connectNativeHookName), | ||
| } | ||
| } | ||
|
|
||
| func (connectNativeHook) Name() string { | ||
| return connectNativeHookName | ||
| } | ||
|
|
||
| func (h *connectNativeHook) Prestart( | ||
| ctx context.Context, | ||
| request *ifs.TaskPrestartRequest, | ||
| response *ifs.TaskPrestartResponse) error { | ||
|
|
||
| if !request.Task.Kind.IsConnectNative() { | ||
| response.Done = true | ||
| return nil | ||
| } | ||
|
|
||
| if h.consulShareTLS { | ||
| // copy TLS certificates | ||
| if err := h.copyCertificates(h.consulConfig, request.TaskDir.SecretsDir); err != nil { | ||
| h.logger.Error("failed to copy Consul TLS certificates", "error", err) | ||
| return err | ||
| } | ||
|
|
||
| // set environment variables for communicating with Consul agent, but | ||
| // only if those environment variables are not already set | ||
| response.Env = h.tlsEnv(request.TaskEnv.EnvMap) | ||
|
|
||
| } | ||
|
|
||
| if err := h.maybeSetSITokenEnv(request.TaskDir.SecretsDir, request.Task.Name, response.Env); err != nil { | ||
| h.logger.Error("failed to load Consul Service Identity Token", "error", err, "task", request.Task.Name) | ||
| return err | ||
| } | ||
|
|
||
| // tls/acl setup for native task done | ||
| response.Done = true | ||
| return nil | ||
| } | ||
|
|
||
| const ( | ||
| secretCAFilename = "consul_ca_file.pem" | ||
| secretCertfileFilename = "consul_cert_file.pem" | ||
| secretKeyfileFilename = "consul_key_file.pem" | ||
| ) | ||
|
|
||
| func (h *connectNativeHook) copyCertificates(consulConfig consulTransportConfig, dir string) error { | ||
| if err := h.copyCertificate(consulConfig.CAFile, dir, secretCAFilename); err != nil { | ||
| return err | ||
| } | ||
| if err := h.copyCertificate(consulConfig.CertFile, dir, secretCertfileFilename); err != nil { | ||
| return err | ||
| } | ||
| if err := h.copyCertificate(consulConfig.KeyFile, dir, secretKeyfileFilename); err != nil { | ||
| return err | ||
| } | ||
| return nil | ||
| } | ||
|
|
||
| func (connectNativeHook) copyCertificate(source, dir, name string) error { | ||
| if source == "" { | ||
| return nil | ||
| } | ||
|
|
||
| original, err := os.Open(source) | ||
| if err != nil { | ||
| return errors.Wrap(err, "failed to open consul TLS certificate") | ||
| } | ||
| defer original.Close() | ||
|
|
||
| destination := filepath.Join(dir, name) | ||
| fd, err := os.Create(destination) | ||
| if err != nil { | ||
| return errors.Wrapf(err, "failed to create secrets/%s", name) | ||
| } | ||
| defer fd.Close() | ||
|
|
||
| if _, err := io.Copy(fd, original); err != nil { | ||
| return errors.Wrapf(err, "failed to copy certificate secrets/%s", name) | ||
| } | ||
|
|
||
| if err := fd.Sync(); err != nil { | ||
| return errors.Wrapf(err, "failed to write secrets/%s", name) | ||
| } | ||
|
|
||
| return nil | ||
| } | ||
|
|
||
| // tlsEnv creates a set of additional of environment variables to be used when launching | ||
| // the connect native task. This will enable the task to communicate with Consul | ||
| // if Consul has transport security turned on. | ||
| // | ||
| // We do NOT set CONSUL_HTTP_TOKEN from the nomad agent's consul config, as that | ||
| // is a separate security concern addressed by the service identity hook. | ||
| func (h *connectNativeHook) tlsEnv(env map[string]string) map[string]string { | ||
| m := make(map[string]string) | ||
|
|
||
| if _, exists := env["CONSUL_CACERT"]; !exists && h.consulConfig.CAFile != "" { | ||
| m["CONSUL_CACERT"] = filepath.Join("/secrets", secretCAFilename) | ||
|
There was a problem hiding this comment. These paths won't work for raw_exec. Dropping the leading slash so that it's relative should work. Not sure if we have any prior art to work from here though. 🤔 We can definitely fix raw_exec later and it shouldn't hold up this PR. Just file a ticket if you think it's a concern but don't have time to verify or fix now. There was a problem hiding this comment. Unfortunately just dropping the root slash breaks in docker. Will open a follow up ticket to find a way to make everything happy. |
||
| } | ||
|
|
||
| if _, exists := env["CONSUL_CLIENT_CERT"]; !exists && h.consulConfig.CertFile != "" { | ||
| m["CONSUL_CLIENT_CERT"] = filepath.Join("/secrets", secretCertfileFilename) | ||
| } | ||
|
|
||
| if _, exists := env["CONSUL_CLIENT_KEY"]; !exists && h.consulConfig.KeyFile != "" { | ||
| m["CONSUL_CLIENT_KEY"] = filepath.Join("/secrets", secretKeyfileFilename) | ||
| } | ||
|
|
||
| if _, exists := env["CONSUL_HTTP_SSL"]; !exists { | ||
| if v := h.consulConfig.SSL; v != "" { | ||
| m["CONSUL_HTTP_SSL"] = v | ||
| } | ||
| } | ||
|
|
||
| if _, exists := env["CONSUL_HTTP_SSL_VERIFY"]; !exists { | ||
| if v := h.consulConfig.VerifySSL; v != "" { | ||
| m["CONSUL_HTTP_SSL_VERIFY"] = v | ||
| } | ||
| } | ||
|
|
||
| return m | ||
| } | ||
|
|
||
| // maybeSetSITokenEnv will set the CONSUL_HTTP_TOKEN environment variable in | ||
| // the given env map, if the token is found to exist in the task's secrets | ||
| // directory AND the CONSUL_HTTP_TOKEN environment variable is not already set. | ||
| // | ||
| // Following the pattern of the envoy_bootstrap_hook, the Consul Service Identity | ||
| // ACL Token is generated prior to this hook, if Consul ACLs are enabled. This is | ||
| // done in the sids_hook, which places the token at secrets/si_token in the task | ||
| // workspace. The content of that file is the SI token specific to this task | ||
| // instance. | ||
| func (h *connectNativeHook) maybeSetSITokenEnv(dir, task string, env map[string]string) error { | ||
| if _, exists := env["CONSUL_HTTP_TOKEN"]; exists { | ||
| // Consul token was already set - typically by using the Vault integration | ||
| // and a template stanza to set the environment. Ignore the SI token as | ||
| // the configured token takes precedence. | ||
| return nil | ||
| } | ||
|
|
||
| token, err := ioutil.ReadFile(filepath.Join(dir, sidsTokenFile)) | ||
| if err != nil { | ||
| if !os.IsNotExist(err) { | ||
| return errors.Wrapf(err, "failed to load SI token for native task %s", task) | ||
| } | ||
| h.logger.Trace("no SI token to load for native task", "task", task) | ||
| return nil // token file DNE; acls not enabled | ||
| } | ||
| h.logger.Trace("recovered pre-existing SI token for native task", "task", task) | ||
| env["CONSUL_HTTP_TOKEN"] = string(token) | ||
| return nil | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I remember you mentioning this shouldn't be enabled in production. Is it worth dropping a warn line when the hook is created so its emitted at startup?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding is that it is safe to enable in production when Consul ACLs are enabled. If that's true and clearly documented, I don't think we need to log every time.