ACLs: allow/deny/default config for Consul/Vault clusters by namespace (#18425)

In Nomad Enterprise when multiple Vault/Consul clusters are configured, cluster admins can control access to clusters for jobs via namespace ACLs, similar to how we've done so for node pools. This changeset updates the ACL configuration structs, but doesn't wire them up.
2026-01-04 17:35:43 +03:00 · 2023-09-08 11:37:20 -04:00
parent b022346575
commit 3ee6c31241
12 changed files with 348 additions and 0 deletions
--- a/api/namespace.go
+++ b/api/namespace.go
@@ -75,6 +75,8 @@ type Namespace struct {
 	Quota                 string
 	Capabilities          *NamespaceCapabilities          `hcl:"capabilities,block"`
 	NodePoolConfiguration *NamespaceNodePoolConfiguration `hcl:"node_pool_config,block"`
+	VaultConfiguration    *NamespaceVaultConfiguration    `hcl:"vault,block"`
+	ConsulConfiguration   *NamespaceConsulConfiguration   `hcl:"consul,block"`
 	Meta                  map[string]string
 	CreateIndex           uint64
 	ModifyIndex           uint64
@@ -95,6 +97,50 @@ type NamespaceNodePoolConfiguration struct {
 	Denied  []string
 }

+// NamespaceVaultConfiguration stores configuration about permissions to Vault
+// clusters for a namespace, for use with Nomad Enterprise.
+type NamespaceVaultConfiguration struct {
+	// Default is the Vault cluster used by jobs in this namespace that don't
+	// specify a cluster of their own.
+	Default string
+
+	// Allowed specifies the Vault clusters that are allowed to be used by jobs
+	// in this namespace. By default, all clusters are allowed. If an empty list
+	// is provided only the namespace's default cluster is allowed. This field
+	// supports wildcard globbing through the use of `*` for multi-character
+	// matching. This field cannot be used with Denied.
+	Allowed []string
+
+	// Denied specifies the Vault clusters that are not allowed to be used by
+	// jobs in this namespace. This field supports wildcard globbing through the
+	// use of `*` for multi-character matching. If specified, any cluster is
+	// allowed to be used, except for those that match any of these patterns.
+	// This field cannot be used with Allowed.
+	Denied []string
+}
+
+// NamespaceConsulConfiguration stores configuration about permissions to Consul
+// clusters for a namespace, for use with Nomad Enterprise.
+type NamespaceConsulConfiguration struct {
+	// Default is the Consul cluster used by jobs in this namespace that don't
+	// specify a cluster of their own.
+	Default string
+
+	// Allowed specifies the Consul clusters that are allowed to be used by jobs
+	// in this namespace. By default, all clusters are allowed. If an empty list
+	// is provided only the namespace's default cluster is allowed. This field
+	// supports wildcard globbing through the use of `*` for multi-character
+	// matching. This field cannot be used with Denied.
+	Allowed []string
+
+	// Denied specifies the Consul clusters that are not allowed to be used by
+	// jobs in this namespace. This field supports wildcard globbing through the
+	// use of `*` for multi-character matching. If specified, any cluster is
+	// allowed to be used, except for those that match any of these patterns.
+	// This field cannot be used with Allowed.
+	Denied []string
+}
+
 // NamespaceIndexSort is a wrapper to sort Namespaces by CreateIndex. We
 // reverse the test so that we get the highest index first.
 type NamespaceIndexSort []*Namespace