consul: consul taskrunner hook should only write tokens that belong to its task (#18635)

Ref hashicorp/team-nomad#404
2026-01-01 16:05:42 +03:00 · 2023-10-02 19:49:02 +02:00
parent 62a0768775
commit 3d62438876
1 changed files with 10 additions and 0 deletions
--- a/client/allocrunner/taskrunner/consul_hook.go
+++ b/client/allocrunner/taskrunner/consul_hook.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"

 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-multierror"
@@ -56,6 +57,15 @@ func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest,
 	// Write tokens to tasks' secret dirs
 	for cluster, t := range tokens {
 		for identity, token := range t {
+			// do not write tokens that do not belong to any of this task's
+			// identities
+			if !slices.ContainsFunc(
+				h.task.Identities,
+				func(id *structs.WorkloadIdentity) bool { return id.Name == identity }) &&
+				identity != h.task.Identity.Name {
+				continue
+			}
+
 			filename := fmt.Sprintf("%s_%s_%s", consulTokenFilePrefix, cluster, identity)
 			tokenPath := filepath.Join(h.tokenDir, filename)
 			if err := os.WriteFile(tokenPath, []byte(token), consulTokenFilePerms); err != nil {