consul: only fetch Consul tokens for Consul-specific identities (#18649)

Only the workload identities signed specifically for Consul, named for the task or service, should result in authenticating to Consul to get tokens.
2026-01-01 16:05:42 +03:00 · 2023-10-04 11:12:50 -04:00
parent aa9ff3a5b3
commit bf65e44a09
2 changed files with 8 additions and 30 deletions
--- a/client/allocrunner/consul_hook.go
+++ b/client/allocrunner/consul_hook.go
@@ -82,7 +82,7 @@ func (h *consulHook) Prerun() error {
 			if err := h.prepareConsulTokensForServices(task.Services, tokens); err != nil {
 				mErr.Errors = append(mErr.Errors, err)
 			}
-			if err := h.prepareConsulTokensForTask(job, task, tokens); err != nil {
+			if err := h.prepareConsulTokensForTask(job, task, tg.Name, tokens); err != nil {
 				mErr.Errors = append(mErr.Errors, err)
 			}
 		}
@@ -94,7 +94,7 @@ func (h *consulHook) Prerun() error {
 	return mErr.ErrorOrNil()
 }

-func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs.Task, tokens map[string]map[string]string) error {
+func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs.Task, tgName string, tokens map[string]map[string]string) error {
 	// if UseIdentity is unset of set to false, quit
 	// FIXME Fetch from Task.Consul.Cluster once #18557 is in
 	consulConfig := h.consulConfigs[structs.ConsulDefaultCluster]
@@ -102,36 +102,14 @@ func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs.
 		return nil
 	}

-	// default identity
-	ti := widmgr.TaskIdentity{
-		TaskName:     task.Name,
-		IdentityName: task.Identity.Name,
-	}
+	expectedIdentity := task.MakeUniqueIdentityName(tgName)

-	req, err := h.prepareConsulClientReq(ti, consulTasksAuthMethodName)
-	if err != nil {
-		return err
-	}
-
-	jwt, err := h.widmgr.Get(ti)
-	if err != nil {
-		h.logger.Error("error getting signed identity", "error", err)
-		return err
-	}
-
-	req[task.Identity.Name] = consul.JWTLoginRequest{
-		JWT:            jwt.JWT,
-		AuthMethodName: consulTasksAuthMethodName,
-	}
-
-	// FIXME Fetch from Task.Consul.Cluster once #18557 is in
-	if err := h.getConsulTokens(structs.ConsulDefaultCluster, task.Identity.Name, tokens, req); err != nil {
-		return err
-	}
-
-	// alt identities
+	// get tokens for alt identities for Consul
 	mErr := multierror.Error{}
 	for _, i := range task.Identities {
+		if i.Name != expectedIdentity {
+			continue
+		}
 		ti := widmgr.TaskIdentity{
 			TaskName:     task.Name,
 			IdentityName: i.Name,
--- a/client/allocrunner/taskrunner/consul_hook.go
+++ b/client/allocrunner/taskrunner/consul_hook.go
@@ -46,7 +46,7 @@ func newConsulHook(logger log.Logger, tr *TaskRunner, hookResources *cstructs.Al
 }

 func (*consulHook) Name() string {
-	return "consul"
+	return "consul_task"
 }

 func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest, *interfaces.TaskPrestartResponse) error {