From 7bfb482b1ef3a1bf0138c2f9e00700466127c3fc Mon Sep 17 00:00:00 2001 From: Jorge Marey Date: Thu, 28 May 2020 15:20:15 +0200 Subject: [PATCH 1/3] Change consul SI tokens to be local --- nomad/consul.go | 1 + 1 file changed, 1 insertion(+) diff --git a/nomad/consul.go b/nomad/consul.go index 95b0e3ff9..61a04816f 100644 --- a/nomad/consul.go +++ b/nomad/consul.go @@ -290,6 +290,7 @@ func (c *consulACLsAPI) CreateToken(ctx context.Context, sir ServiceIdentityRequ Description: sir.Description(), ServiceIdentities: []*api.ACLServiceIdentity{{ServiceName: service}}, Namespace: sir.ConsulNamespace, + Local: true, } // Ensure we are under our rate limit. From b2a2f77d408ed798a437a3a6cba587f9d493a8df Mon Sep 17 00:00:00 2001 From: Seth Hoenig Date: Fri, 15 Apr 2022 15:10:06 -0500 Subject: [PATCH 2/3] docs: update documentation with connect acls changes This PR updates the changelog, adds notes the 1.3 upgrade guide, and updates the connect integration docs with documentation about the new requirement on Consul ACL policies of Consul agent default anonymous ACL tokens. --- .changelog/8068.txt | 10 +++++++ nomad/job_endpoint_hook_connect.go | 4 +-- .../docs/integrations/consul-connect.mdx | 26 ++++++++++++++++--- .../content/docs/upgrade/upgrade-specific.mdx | 21 +++++++++++++++ 4 files changed, 55 insertions(+), 6 deletions(-) create mode 100644 .changelog/8068.txt diff --git a/.changelog/8068.txt b/.changelog/8068.txt new file mode 100644 index 000000000..112b797db --- /dev/null +++ b/.changelog/8068.txt @@ -0,0 +1,10 @@ +```release-note:breaking-change +connect: Consul Service Identity ACL tokens automatically generated for Connect services are now +created as Local rather than Global tokens. Nomad clusters with Connect services making cross-Consul +datacenter requests will need to ensure their Consul agents are configured with anonymous ACL tokens +of sufficient node and service read permissions. +``` + +```release-note:breaking-change +The minimum Consul version supported by Nomad's Connect integration is now Consul v1.8.0. +``` diff --git a/nomad/job_endpoint_hook_connect.go b/nomad/job_endpoint_hook_connect.go index f0286ac9c..b2dc23a5c 100644 --- a/nomad/job_endpoint_hook_connect.go +++ b/nomad/job_endpoint_hook_connect.go @@ -68,11 +68,11 @@ func connectGatewayDriverConfig(hostNetwork bool) map[string]interface{} { // connectSidecarVersionConstraint is used when building the sidecar task to ensure // the proper Consul version is used that supports the necessary Connect // features. This includes bootstrapping envoy with a unix socket for Consul's -// gRPC xDS API. +// gRPC xDS API, and support for generating local service identity tokens. func connectSidecarVersionConstraint() *structs.Constraint { return &structs.Constraint{ LTarget: "${attr.consul.version}", - RTarget: ">= 1.6.0-beta1", + RTarget: ">= 1.8.0", Operand: structs.ConstraintSemver, } } diff --git a/website/content/docs/integrations/consul-connect.mdx b/website/content/docs/integrations/consul-connect.mdx index 645715fd0..171bbd72f 100644 --- a/website/content/docs/integrations/consul-connect.mdx +++ b/website/content/docs/integrations/consul-connect.mdx @@ -8,9 +8,6 @@ description: >- # Consul Service Mesh -~> **Note:** This guide requires Nomad 0.10.0 or later and Consul 1.6.0 or -later. - ~> **Note:** Nomad's service mesh integration requires Linux network namespaces. Consul service mesh will not run on Windows or macOS. @@ -58,7 +55,7 @@ The Consul service mesh integration with Nomad requires [Consul 1.6 or later.](https://releases.hashicorp.com/consul/1.6.0/) The Consul agent can be run in dev mode with the following command: -**Note**: Nomad's Consul service mesh integration requires Consul in your `$PATH` +~> **Note:** Nomad's Consul service mesh integration requires Consul in your `$PATH` ```shell-session $ consul agent -dev @@ -96,6 +93,23 @@ For JSON configurations: } ``` +#### Consul ACLs + +~> **Note:** Starting in Nomad v1.3.0, Consul Service Identity ACL tokens automatically +generated by Nomad on behalf of Connect enabled services are now created in [`Local`] +rather than Global scope, and are no longer replicated globally. + +To facilitate cross-Consul datacenter requests of Connect services registered by +Nomad, Consul agents will need to be configured with [default anonymous][anon_token] +ACL tokens with ACL policies of sufficient permissions to read service and node +metadata pertaining to those requests. This mechanism is described in Consul [#7414][consul_acl]. +A typical Consul agent anonymous token may contain an ACL policy such as: + +```hcl +service_prefix "" { policy = "read" } +node_prefix "" { policy = "read" } +``` + ### Nomad Nomad must schedule onto a routable interface in order for the proxies to @@ -326,6 +340,7 @@ dashes (`-`) are converted to underscores (`_`) in environment variables so ## Limitations +- The minimum Consul version to use Connect with Nomad is Consul v1.8.0. - The `consul` binary must be present in Nomad's `$PATH` to run the Envoy proxy sidecar on client nodes. - Consul service mesh using network namespaces is only supported on Linux. @@ -333,4 +348,7 @@ dashes (`-`) are converted to underscores (`_`) in environment variables so connections while the Nomad agent is restarting. [count-dashboard]: /img/count-dashboard.png +[consul_acl]: https://github.com/hashicorp/consul/issues/7414 [gh-9907]: https://github.com/hashicorp/nomad/issues/9907 +[`Local`]: https://www.consul.io/docs/security/acl/acl-tokens#token-attributes +[anon_token]: https://www.consul.io/docs/security/acl/acl-tokens#special-purpose-tokens diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx index d9f3ec527..c6c95d2fb 100644 --- a/website/content/docs/upgrade/upgrade-specific.mdx +++ b/website/content/docs/upgrade/upgrade-specific.mdx @@ -126,6 +126,24 @@ connect { } ``` +#### Changes to Consul Connect Service Identity Tokens + +Starting with Nomad 1.3.0, Consul Service Identity Tokens created automatically +by Nomad on behalf of Connect services will now be created as [`Local`] tokens. These +tokens will no longer be replicated globally. To facilitate cross-Consul datacenter +requests of Connect services registered by Nomad, Consul agents will need to be +configured with [default anonymous][anon_token] ACL tokens with ACL policies of +sufficient permissions to read service and node metadata pertaining to those +requests. This mechanism is described in Consul [#7414][consul_acl]. +A typical Consul agent anonymous token may contain an ACL policy such as: + +```hcl +service_prefix "" { policy = "read" } +node_prefix "" { policy = "read" } +``` + +The minimum version of Consul supported by Nomad's Connect integration is now Consul v1.8.0. + #### Linux Control Groups Version 2 Starting with Nomad 1.3.0, Linux systems configured to use [cgroups v2][cgroups2] @@ -1376,3 +1394,6 @@ deleted and then Nomad 0.3.0 can be launched. [cap_drop_exec]: /docs/drivers/exec#cap_drop [`log_file`]: /docs/configuration#log_file [Upgrading to Raft Protocol 3]: /docs/upgrade#upgrading-to-raft-protocol-3 +[`Local`]: https://www.consul.io/docs/security/acl/acl-tokens#token-attributes +[anon_token]: https://www.consul.io/docs/security/acl/acl-tokens#special-purpose-tokens +[consul_acl]: https://github.com/hashicorp/consul/issues/7414 \ No newline at end of file From dd2724a8abd49ce96ea56af4c82ec6a25c05d14a Mon Sep 17 00:00:00 2001 From: Seth Hoenig Date: Tue, 19 Apr 2022 07:48:56 -0500 Subject: [PATCH 3/3] cl: add missing prefix --- .changelog/8068.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changelog/8068.txt b/.changelog/8068.txt index 112b797db..c47b01e98 100644 --- a/.changelog/8068.txt +++ b/.changelog/8068.txt @@ -6,5 +6,5 @@ of sufficient node and service read permissions. ``` ```release-note:breaking-change -The minimum Consul version supported by Nomad's Connect integration is now Consul v1.8.0. +connect: The minimum Consul version supported by Nomad's Connect integration is now Consul v1.8.0. ```