From c0eccda4f75fe983cd4d9ca3d7ad6aa6014a5142 Mon Sep 17 00:00:00 2001 From: James Rasell Date: Fri, 7 Mar 2025 15:32:02 +0100 Subject: [PATCH] template: Set any Consul token generated by workload identity. (#25309) --- .../taskrunner/template/template.go | 5 ++ .../taskrunner/template/template_test.go | 59 +++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/client/allocrunner/taskrunner/template/template.go b/client/allocrunner/taskrunner/template/template.go index 4b95c82e2..1d7b12746 100644 --- a/client/allocrunner/taskrunner/template/template.go +++ b/client/allocrunner/taskrunner/template/template.go @@ -829,6 +829,11 @@ func newRunnerConfig(config *TaskTemplateManagerConfig, if config.ConsulConfig != nil { conf.Consul.Address = &config.ConsulConfig.Addr + // Populate the Consul configuration using any potential token that has + // been generated via workload identity. In the case no token has been + // generated, the empty string is safe to blindly add. + conf.Consul.Token = &config.ConsulToken + // Get the Consul namespace from agent config. This is the lower level // of precedence (beyond default). if config.ConsulConfig.Namespace != "" { diff --git a/client/allocrunner/taskrunner/template/template_test.go b/client/allocrunner/taskrunner/template/template_test.go index 68f815018..d89d13401 100644 --- a/client/allocrunner/taskrunner/template/template_test.go +++ b/client/allocrunner/taskrunner/template/template_test.go @@ -2525,6 +2525,65 @@ func TestTaskTemplateManager_Template_Wait_Set(t *testing.T) { } } +func Test_newRunnerConfig_consul(t *testing.T) { + ci.Parallel(t) + + testCases := []struct { + name string + inputConfig *TaskTemplateManagerConfig + expectedOutputConfig *ctconf.ConsulConfig + }{ + { + name: "consul WI token", + inputConfig: &TaskTemplateManagerConfig{ + ConsulConfig: sconfig.DefaultConsulConfig(), + ConsulToken: "token", + ClientConfig: config.DefaultConfig(), + }, + expectedOutputConfig: &ctconf.ConsulConfig{ + Address: pointer.Of("127.0.0.1:8500"), + Namespace: pointer.Of(""), + Auth: ctconf.DefaultAuthConfig(), + Retry: ctconf.DefaultRetryConfig(), + SSL: ctconf.DefaultSSLConfig(), + Token: pointer.Of("token"), + TokenFile: pointer.Of(""), + Transport: ctconf.DefaultTransportConfig(), + }, + }, + { + name: "no consul WI token", + inputConfig: &TaskTemplateManagerConfig{ + ConsulConfig: sconfig.DefaultConsulConfig(), + ClientConfig: config.DefaultConfig(), + }, + expectedOutputConfig: &ctconf.ConsulConfig{ + Address: pointer.Of("127.0.0.1:8500"), + Namespace: pointer.Of(""), + Auth: ctconf.DefaultAuthConfig(), + Retry: ctconf.DefaultRetryConfig(), + SSL: ctconf.DefaultSSLConfig(), + Token: pointer.Of(""), + TokenFile: pointer.Of(""), + Transport: ctconf.DefaultTransportConfig(), + }, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + + // Finalize the expected configuration, so we don't have to set up + // all the pointers. + tc.expectedOutputConfig.Finalize() + + actualOutputConfig, err := newRunnerConfig(tc.inputConfig, nil) + must.NoError(t, err) + must.Eq(t, tc.expectedOutputConfig, actualOutputConfig.Consul) + }) + } +} + // TestTaskTemplateManager_Template_ErrMissingKey_Set asserts that all template level // configuration is accurately mapped from the template to the TaskTemplateManager's // template config.