From bf65e44a09225a5fd9ddf429b18d0274fcc68943 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Wed, 4 Oct 2023 11:12:50 -0400 Subject: [PATCH] consul: only fetch Consul tokens for Consul-specific identities (#18649) Only the workload identities signed specifically for Consul, named for the task or service, should result in authenticating to Consul to get tokens. --- client/allocrunner/consul_hook.go | 36 ++++---------------- client/allocrunner/taskrunner/consul_hook.go | 2 +- 2 files changed, 8 insertions(+), 30 deletions(-) diff --git a/client/allocrunner/consul_hook.go b/client/allocrunner/consul_hook.go index e289b723f..5cdcfc4ea 100644 --- a/client/allocrunner/consul_hook.go +++ b/client/allocrunner/consul_hook.go @@ -82,7 +82,7 @@ func (h *consulHook) Prerun() error { if err := h.prepareConsulTokensForServices(task.Services, tokens); err != nil { mErr.Errors = append(mErr.Errors, err) } - if err := h.prepareConsulTokensForTask(job, task, tokens); err != nil { + if err := h.prepareConsulTokensForTask(job, task, tg.Name, tokens); err != nil { mErr.Errors = append(mErr.Errors, err) } } @@ -94,7 +94,7 @@ func (h *consulHook) Prerun() error { return mErr.ErrorOrNil() } -func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs.Task, tokens map[string]map[string]string) error { +func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs.Task, tgName string, tokens map[string]map[string]string) error { // if UseIdentity is unset of set to false, quit // FIXME Fetch from Task.Consul.Cluster once #18557 is in consulConfig := h.consulConfigs[structs.ConsulDefaultCluster] @@ -102,36 +102,14 @@ func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs. return nil } - // default identity - ti := widmgr.TaskIdentity{ - TaskName: task.Name, - IdentityName: task.Identity.Name, - } + expectedIdentity := task.MakeUniqueIdentityName(tgName) - req, err := h.prepareConsulClientReq(ti, consulTasksAuthMethodName) - if err != nil { - return err - } - - jwt, err := h.widmgr.Get(ti) - if err != nil { - h.logger.Error("error getting signed identity", "error", err) - return err - } - - req[task.Identity.Name] = consul.JWTLoginRequest{ - JWT: jwt.JWT, - AuthMethodName: consulTasksAuthMethodName, - } - - // FIXME Fetch from Task.Consul.Cluster once #18557 is in - if err := h.getConsulTokens(structs.ConsulDefaultCluster, task.Identity.Name, tokens, req); err != nil { - return err - } - - // alt identities + // get tokens for alt identities for Consul mErr := multierror.Error{} for _, i := range task.Identities { + if i.Name != expectedIdentity { + continue + } ti := widmgr.TaskIdentity{ TaskName: task.Name, IdentityName: i.Name, diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go index 3a5159ae9..c59bbae64 100644 --- a/client/allocrunner/taskrunner/consul_hook.go +++ b/client/allocrunner/taskrunner/consul_hook.go @@ -46,7 +46,7 @@ func newConsulHook(logger log.Logger, tr *TaskRunner, hookResources *cstructs.Al } func (*consulHook) Name() string { - return "consul" + return "consul_task" } func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest, *interfaces.TaskPrestartResponse) error {