config: add TTL to agent identity config (#18457)

Add support for identity token TTL in agent configuration fields such as Consul `service_identity` and `template_identity`. Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
2026-01-06 18:35:44 +03:00 · 2023-09-12 11:13:09 -03:00
parent 2e1974a574
commit 82372fecb8
8 changed files with 115 additions and 24 deletions
--- a/command/agent/config_parse.go
+++ b/command/agent/config_parse.go
@@ -72,6 +72,29 @@ func ParseConfigFile(path string) (*Config, error) {
 		return nil, fmt.Errorf("failed to decode HCL file %s: %w", path, err)
 	}

+	// Re-parse the file to extract the multiple Vault configurations, which we
+	// need to parse by hand because we don't have a label on the block
+	root, err := hcl.Parse(buf.String())
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse HCL file %s: %w", path, err)
+	}
+	list, ok := root.Node.(*ast.ObjectList)
+	if !ok {
+		return nil, fmt.Errorf("error parsing: root should be an object")
+	}
+	matches := list.Filter("vault")
+	if len(matches.Items) > 0 {
+		if err := parseVaults(c, matches); err != nil {
+			return nil, fmt.Errorf("error parsing 'vault': %w", err)
+		}
+	}
+	matches = list.Filter("consul")
+	if len(matches.Items) > 0 {
+		if err := parseConsuls(c, matches); err != nil {
+			return nil, fmt.Errorf("error parsing 'consul': %w", err)
+		}
+	}
+
 	// convert strings to time.Durations
 	tds := []durationConversionMap{
 		{"gc_interval", &c.Client.GCInterval, &c.Client.GCIntervalHCL, nil},
@@ -152,6 +175,30 @@ func ParseConfigFile(path string) (*Config, error) {
 		},
 	}

+	// Parse durations for Consul and Vault config blocks if provided.
+	//
+	// Since the map of multiple cluster configuration contains a pointer to
+	// the default block we don't need to parse it directly.
+	for name, consulConfig := range c.Consuls {
+		if consulConfig.ServiceIdentity != nil {
+			tds = append(tds, durationConversionMap{
+				fmt.Sprintf("consuls.%s.service_identity.ttl", name), nil, &consulConfig.ServiceIdentity.TTLHCL,
+				func(d *time.Duration) {
+					consulConfig.ServiceIdentity.TTL = d
+				},
+			})
+		}
+
+		if consulConfig.TemplateIdentity != nil {
+			tds = append(tds, durationConversionMap{
+				fmt.Sprintf("consuls.%s.template_identity.ttl", name), nil, &consulConfig.TemplateIdentity.TTLHCL,
+				func(d *time.Duration) {
+					consulConfig.TemplateIdentity.TTL = d
+				},
+			})
+		}
+	}
+
 	// Add enterprise audit sinks for time.Duration parsing
 	for i, sink := range c.Audit.Sinks {
 		tds = append(tds, durationConversionMap{
@@ -164,28 +211,6 @@ func ParseConfigFile(path string) (*Config, error) {
 		return nil, err
 	}

-	// Re-parse the file to extract the multiple Vault configurations, which we
-	// need to parse by hand because we don't have a label on the block
-	root, err := hcl.Parse(buf.String())
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse HCL file %s: %w", path, err)
-	}
-	list, ok := root.Node.(*ast.ObjectList)
-	if !ok {
-		return nil, fmt.Errorf("error parsing: root should be an object")
-	}
-	matches := list.Filter("vault")
-	if len(matches.Items) > 0 {
-		if err := parseVaults(c, matches); err != nil {
-			return nil, fmt.Errorf("error parsing 'vault': %w", err)
-		}
-	}
-	matches = list.Filter("consul")
-	if len(matches.Items) > 0 {
-		if err := parseConsuls(c, matches); err != nil {
-			return nil, fmt.Errorf("error parsing 'consul': %w", err)
-		}
-	}
 	// report unexpected keys
 	err = extraKeys(c)
 	if err != nil {
--- a/command/agent/config_parse_test.go
+++ b/command/agent/config_parse_test.go
@@ -240,11 +240,15 @@ var basicConfig = &Config{
 			Audience: []string{"consul.io", "nomad.dev"},
 			Env:      pointer.Of(false),
 			File:     pointer.Of(true),
+			TTL:      pointer.Of(1 * time.Hour),
+			TTLHCL:   "1h",
 		},
 		TemplateIdentity: &config.WorkloadIdentityConfig{
 			Audience: []string{"consul.io"},
 			Env:      pointer.Of(true),
 			File:     pointer.Of(false),
+			TTL:      pointer.Of(2 * time.Hour),
+			TTLHCL:   "2h",
 		},
 	},
 	Consuls: map[string]*config.ConsulConfig{
@@ -276,11 +280,15 @@ var basicConfig = &Config{
 				Audience: []string{"consul.io", "nomad.dev"},
 				Env:      pointer.Of(false),
 				File:     pointer.Of(true),
+				TTL:      pointer.Of(1 * time.Hour),
+				TTLHCL:   "1h",
 			},
 			TemplateIdentity: &config.WorkloadIdentityConfig{
 				Audience: []string{"consul.io"},
 				Env:      pointer.Of(true),
 				File:     pointer.Of(false),
+				TTL:      pointer.Of(2 * time.Hour),
+				TTLHCL:   "2h",
 			},
 		},
 	},
--- a/command/agent/testdata/basic.hcl
+++ b/command/agent/testdata/basic.hcl
@@ -248,11 +248,13 @@ consul {
    aud  = ["consul.io", "nomad.dev"]
    env  = false
    file = true
+    ttl  = "1h"
  }
  template_identity {
    aud  = ["consul.io"]
    env  = true
    file = false
+    ttl  = "2h"
  }
 }

--- a/command/agent/testdata/basic.json
+++ b/command/agent/testdata/basic.json
@@ -173,7 +173,8 @@
          "nomad.dev"
        ],
        "env": false,
-        "file": true
+        "file": true,
+        "ttl": "1h"
      },
      "ssl": true,
      "template_identity": {
@@ -181,7 +182,8 @@
          "consul.io"
        ],
        "env": true,
-        "file": false
+        "file": false,
+        "ttl": "2h"
      },
      "timeout": "5s",
      "token": "token1",