config: fix identity config for Consul service (#18363)

Rename the agent configuraion for workload identity to `WorkloadIdentityConfig` to make its use more explicit and remove the `ServiceName` field since it is never expected to be defined in a configuration file. Also update the job mutation to inject a service identity following these rules: 1. Don't inject identity if `consul.use_identity` is false. 2. Don't inject identity if `consul.service_identity` is not specified. 3. Don't inject identity if service provider is not `consul`. 4. Set name and service name if the service specifies an identity. 5. Inject `consul.service_identity` if service does not specify an identity.
2026-01-06 10:25:42 +03:00 · 2023-08-31 10:22:48 -04:00
parent 05c3322214
commit 7466496608
15 changed files with 904 additions and 239 deletions
--- a/command/agent/config_parse.go
+++ b/command/agent/config_parse.go
@@ -57,8 +57,8 @@ func ParseConfigFile(path string) (*Config, error) {
 		ACL:   &ACLConfig{},
 		Audit: &config.AuditConfig{},
 		Consul: &config.ConsulConfig{
-			ServiceIdentity:  &config.WorkloadIdentity{},
-			TemplateIdentity: &config.WorkloadIdentity{},
+			ServiceIdentity:  &config.WorkloadIdentityConfig{},
+			TemplateIdentity: &config.WorkloadIdentityConfig{},
 		},
 		Consuls:   map[string]*config.ConsulConfig{},
 		Autopilot: &config.AutopilotConfig{},
@@ -418,7 +418,7 @@ func parseConsuls(c *Config, list *ast.ObjectList) error {
 				return err
 			}

-			var serviceIdentity config.WorkloadIdentity
+			var serviceIdentity config.WorkloadIdentityConfig
 			if err := mapstructure.WeakDecode(m, &serviceIdentity); err != nil {
 				return err
 			}
@@ -432,7 +432,7 @@ func parseConsuls(c *Config, list *ast.ObjectList) error {
 				return err
 			}

-			var templateIdentity config.WorkloadIdentity
+			var templateIdentity config.WorkloadIdentityConfig
 			if err := mapstructure.WeakDecode(m, &templateIdentity); err != nil {
 				return err
 			}
--- a/command/agent/config_parse_test.go
+++ b/command/agent/config_parse_test.go
@@ -236,15 +236,15 @@ var basicConfig = &Config{
 		Timeout:              5 * time.Second,
 		TimeoutHCL:           "5s",
 		UseIdentity:          &trueValue,
-		ServiceIdentity: &config.WorkloadIdentity{
+		ServiceIdentity: &config.WorkloadIdentityConfig{
 			Audience: []string{"consul.io", "nomad.dev"},
-			Env:      false,
-			File:     true,
+			Env:      pointer.Of(false),
+			File:     pointer.Of(true),
 		},
-		TemplateIdentity: &config.WorkloadIdentity{
+		TemplateIdentity: &config.WorkloadIdentityConfig{
 			Audience: []string{"consul.io"},
-			Env:      true,
-			File:     false,
+			Env:      pointer.Of(true),
+			File:     pointer.Of(false),
 		},
 	},
 	Consuls: map[string]*config.ConsulConfig{
@@ -272,15 +272,15 @@ var basicConfig = &Config{
 			Timeout:              5 * time.Second,
 			TimeoutHCL:           "5s",
 			UseIdentity:          &trueValue,
-			ServiceIdentity: &config.WorkloadIdentity{
+			ServiceIdentity: &config.WorkloadIdentityConfig{
 				Audience: []string{"consul.io", "nomad.dev"},
-				Env:      false,
-				File:     true,
+				Env:      pointer.Of(false),
+				File:     pointer.Of(true),
 			},
-			TemplateIdentity: &config.WorkloadIdentity{
+			TemplateIdentity: &config.WorkloadIdentityConfig{
 				Audience: []string{"consul.io"},
-				Env:      true,
-				File:     false,
+				Env:      pointer.Of(true),
+				File:     pointer.Of(false),
 			},
 		},
 	},