kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 10:25:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

WI: set the right identity name for Consul tasks (#18742)

Browse Source 
Consul tasks should only have 1 identity of the form consul/{consul_cluster_name}.
This commit is contained in:
Piotr Kazmierczak
2023-10-12 20:34:15 +02:00
committed by GitHub
parent 3633ca0f8c
commit 91753308b3
6 changed files with 45 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
client/allocrunner/consul_hook.go
View File

@@ -98,19 +98,25 @@ func (h *consulHook) Prerun() error {
}
func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs.Task, tgName string, tokens map[string]map[string]string) error {
var consulClusterName string
if task.Consul != nil && task.Consul.Cluster != "" {
consulClusterName = task.Consul.Cluster
} else {
consulClusterName = structs.ConsulDefaultCluster
}
// get consul config
consulConfig := h.consulConfigs[consulClusterName]
// if UseIdentity is unset of set to false, quit
// FIXME Fetch from Task.Consul.Cluster once #18557 is in
consulConfig := h.consulConfigs[structs.ConsulDefaultCluster]
if consulConfig.UseIdentity == nil || !*consulConfig.UseIdentity {
return nil
}
expectedIdentity := task.MakeUniqueIdentityName(tgName)
// get tokens for alt identities for Consul
mErr := multierror.Error{}
for _, i := range task.Identities {
if i.Name != expectedIdentity {
if i.Name != fmt.Sprintf("%s_%s", structs.ConsulTaskIdentityNamePrefix, consulClusterName) {
continue
}
@@ -134,8 +140,7 @@ func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs.
AuthMethodName: consulTasksAuthMethodName,
}
// FIXME Fetch from Task.Consul.Cluster once #18557 is in
if err := h.getConsulTokens(structs.ConsulDefaultCluster, ti.IdentityName, tokens, req); err != nil {
if err := h.getConsulTokens(consulClusterName, ti.IdentityName, tokens, req); err != nil {
return err
}
}

14
nomad/job_endpoint_hook_implicit_identities.go
View File

@@ -9,11 +9,6 @@ import (
"github.com/hashicorp/nomad/nomad/structs"
)
const (
consulServiceIdentityNamePrefix = "consul-service"
consulTaskIdentityNamePrefix = "consul"
)
// jobImplicitIdentitiesHook adds implicit `identity` blocks for external
// services, like Consul and Vault.
type jobImplicitIdentitiesHook struct {
@@ -35,7 +30,7 @@ func (h jobImplicitIdentitiesHook) Mutate(job *structs.Job) (*structs.Job, []err
h.handleConsulService(s)
}
if len(t.Templates) > 0 {
h.handleConsulTasks(t, tg.Name)
h.handleConsulTasks(t)
}
h.handleVault(t)
}
@@ -75,19 +70,18 @@ func (h jobImplicitIdentitiesHook) handleConsulService(s *structs.Service) {
// Set the expected identity name and service name.
name := s.MakeUniqueIdentityName()
serviceWID.Name = fmt.Sprintf("%s/%s", consulServiceIdentityNamePrefix, name)
serviceWID.Name = fmt.Sprintf("%s_%s", structs.ConsulServiceIdentityNamePrefix, name)
serviceWID.ServiceName = s.Name
s.Identity = serviceWID
}
func (h jobImplicitIdentitiesHook) handleConsulTasks(t *structs.Task, taskGroup string) {
func (h jobImplicitIdentitiesHook) handleConsulTasks(t *structs.Task) {
if !h.srv.config.UseConsulIdentity() {
return
}
name := t.MakeUniqueIdentityName(taskGroup)
widName := fmt.Sprintf("%s/%s", consulTaskIdentityNamePrefix, name)
widName := t.Consul.IdentityName()
// Use the Consul identity specified in the task if present
for _, wid := range t.Identities {

12
nomad/job_endpoint_hook_implicit_identities_test.go
View File

@@ -150,7 +150,7 @@ func Test_jobImplicitIndentitiesHook_Mutate_consul_service(t *testing.T) {
TaskName: "task",
PortLabel: "80",
Identity: &structs.WorkloadIdentity{
Name: "consul-service/task-web-80",
Name: "consul-service_task-web-80",
Audience: []string{"consul.io", "nomad.dev"},
File: true,
Env: false,
@@ -162,7 +162,7 @@ func Test_jobImplicitIndentitiesHook_Mutate_consul_service(t *testing.T) {
TaskName: "task",
PortLabel: "80",
Identity: &structs.WorkloadIdentity{
Name: "consul-service/task-web-80",
Name: "consul-service_task-web-80",
Audience: []string{"consul.io", "nomad.dev"},
File: true,
Env: false,
@@ -177,7 +177,7 @@ func Test_jobImplicitIndentitiesHook_Mutate_consul_service(t *testing.T) {
TaskName: "task",
PortLabel: "80",
Identity: &structs.WorkloadIdentity{
Name: "consul-service/task-web-task-80",
Name: "consul-service_task-web-task-80",
Audience: []string{"consul.io", "nomad.dev"},
File: true,
Env: false,
@@ -224,7 +224,7 @@ func Test_jobImplicitIndentitiesHook_Mutate_consul_service(t *testing.T) {
Name: "web",
TaskName: "task",
Identity: &structs.WorkloadIdentity{
Name: "consul-service/task-web-80",
Name: "consul-service_task-web-80",
Audience: []string{"consul.io"},
ServiceName: "web",
},
@@ -236,7 +236,7 @@ func Test_jobImplicitIndentitiesHook_Mutate_consul_service(t *testing.T) {
Name: "web-task",
TaskName: "task",
Identity: &structs.WorkloadIdentity{
Name: "consul-service/task-web-task-80",
Name: "consul-service_task-web-task-80",
Audience: []string{"consul.io"},
ServiceName: "web-task",
},
@@ -271,7 +271,7 @@ func Test_jobImplicitIndentitiesHook_Mutate_consul_service(t *testing.T) {
Name: "web-task",
Templates: []*structs.Template{{}},
Identities: []*structs.WorkloadIdentity{{
Name: "consul/group-web-task",
Name: "consul_default",
Audience: []string{"consul.io"},
}},
}},

6
nomad/job_endpoint_hooks_test.go
View File

@@ -61,7 +61,7 @@ func Test_jobValidate_Validate_consul_service(t *testing.T) {
Provider: "consul",
Name: "web",
Identity: &structs.WorkloadIdentity{
Name: "consul-service/web",
Name: "consul-service_web",
Audience: []string{"consul.io"},
File: true,
Env: false,
@@ -81,7 +81,7 @@ func Test_jobValidate_Validate_consul_service(t *testing.T) {
Provider: "consul",
Name: "web",
Identity: &structs.WorkloadIdentity{
Name: "consul-service/web",
Name: "consul-service_web",
Audience: []string{"consul.io"},
File: true,
Env: false,
@@ -103,7 +103,7 @@ func Test_jobValidate_Validate_consul_service(t *testing.T) {
Provider: "consul",
Name: "web",
Identity: &structs.WorkloadIdentity{
Name: fmt.Sprintf("%s/web", consulServiceIdentityNamePrefix),
Name: fmt.Sprintf("%s_web", structs.ConsulServiceIdentityNamePrefix),
Audience: []string{"consul.io"},
File: true,
Env: false,

20
nomad/structs/consul.go
View File

@@ -12,6 +12,13 @@ const (
// ConsulDefaultCluster is the name used for the Consul cluster that doesn't
// have a name.
ConsulDefaultCluster = "default"
// ConsulServiceIdentityNamePrefix is used in naming identities of consul
// services
ConsulServiceIdentityNamePrefix = "consul-service"
// ConsulTaskIdentityNamePrefix is used in naming identities of consul tasks
ConsulTaskIdentityNamePrefix = "consul"
)
// Consul represents optional per-group consul configuration.
@@ -55,6 +62,19 @@ func (c *Consul) Validate() error {
return nil
}
// IdentityName returns the name of the workload identity to be used to access
// this Consul cluster.
func (c *Consul) IdentityName() string {
var clusterName string
if c != nil && c.Cluster != "" {
clusterName = c.Cluster
} else {
clusterName = ConsulDefaultCluster
}
return fmt.Sprintf("%s_%s", ConsulTaskIdentityNamePrefix, clusterName)
}
var (
// validConsulVaultClusterName is the rule used to validate a Consul or
// Vault cluster name.

6
nomad/structs/structs.go
View File

@@ -7666,12 +7666,6 @@ func (t *Task) GetIdentity(name string) *WorkloadIdentity {
return nil
}
// MakeUniqueIdentityName returns a task identity name consisting of: task
// group name and task name.
func (t *Task) MakeUniqueIdentityName(taskGroup string) string {
return fmt.Sprintf("%v-%v", taskGroup, t.Name)
}
// IdentityHandle returns a WorkloadIdentityHandle which is a pair of unique WI
// name and task name.
func (t *Task) IdentityHandle(identity *WorkloadIdentity) *WIHandle {