Consul: agent config updates for WI (#18774)

This changeset makes two changes: * Removes the `consul.use_identity` field from the agent configuration. This behavior is properly covered by the presence of `consul.service_identity` / `consul.task_identity` blocks. * Adds a `consul.task_auth_method` and `consul.service_auth_method` fields to the agent configuration. This allows the cluster administrator to choose specific Consul Auth Method names for their environment, with a reasonable default.
2026-01-07 19:05:42 +03:00 · 2023-10-17 14:42:14 -04:00
parent ac56855f07
commit d0957eb109
16 changed files with 185 additions and 289 deletions
--- a/command/agent/config_parse_test.go
+++ b/command/agent/config_parse_test.go
@@ -213,29 +213,29 @@ var basicConfig = &Config{
 	DisableUpdateCheck:        pointer.Of(true),
 	DisableAnonymousSignature: true,
 	Consul: &config.ConsulConfig{
-		Name:                 structs.ConsulDefaultCluster,
-		ServerServiceName:    "nomad",
-		ServerHTTPCheckName:  "nomad-server-http-health-check",
-		ServerSerfCheckName:  "nomad-server-serf-health-check",
-		ServerRPCCheckName:   "nomad-server-rpc-health-check",
-		ClientServiceName:    "nomad-client",
-		ClientHTTPCheckName:  "nomad-client-http-health-check",
-		Addr:                 "127.0.0.1:9500",
-		AllowUnauthenticated: &trueValue,
-		Token:                "token1",
-		Auth:                 "username:pass",
-		EnableSSL:            &trueValue,
-		VerifySSL:            &trueValue,
-		CAFile:               "/path/to/ca/file",
-		CertFile:             "/path/to/cert/file",
-		KeyFile:              "/path/to/key/file",
-		ServerAutoJoin:       &trueValue,
-		ClientAutoJoin:       &trueValue,
-		AutoAdvertise:        &trueValue,
-		ChecksUseAdvertise:   &trueValue,
-		Timeout:              5 * time.Second,
-		TimeoutHCL:           "5s",
-		UseIdentity:          &trueValue,
+		Name:                      structs.ConsulDefaultCluster,
+		ServerServiceName:         "nomad",
+		ServerHTTPCheckName:       "nomad-server-http-health-check",
+		ServerSerfCheckName:       "nomad-server-serf-health-check",
+		ServerRPCCheckName:        "nomad-server-rpc-health-check",
+		ClientServiceName:         "nomad-client",
+		ClientHTTPCheckName:       "nomad-client-http-health-check",
+		Addr:                      "127.0.0.1:9500",
+		AllowUnauthenticated:      &trueValue,
+		Token:                     "token1",
+		Auth:                      "username:pass",
+		EnableSSL:                 &trueValue,
+		VerifySSL:                 &trueValue,
+		CAFile:                    "/path/to/ca/file",
+		CertFile:                  "/path/to/cert/file",
+		KeyFile:                   "/path/to/key/file",
+		ServerAutoJoin:            &trueValue,
+		ClientAutoJoin:            &trueValue,
+		AutoAdvertise:             &trueValue,
+		ChecksUseAdvertise:        &trueValue,
+		Timeout:                   5 * time.Second,
+		TimeoutHCL:                "5s",
+		ServiceIdentityAuthMethod: "nomad-workloads",
 		ServiceIdentity: &config.WorkloadIdentityConfig{
 			Audience: []string{"consul.io", "nomad.dev"},
 			Env:      pointer.Of(false),
@@ -243,6 +243,7 @@ var basicConfig = &Config{
 			TTL:      pointer.Of(1 * time.Hour),
 			TTLHCL:   "1h",
 		},
+		TaskIdentityAuthMethod: "nomad-tasks",
 		TaskIdentity: &config.WorkloadIdentityConfig{
 			Audience: []string{"consul.io"},
 			Env:      pointer.Of(true),
@@ -253,29 +254,29 @@ var basicConfig = &Config{
 	},
 	Consuls: map[string]*config.ConsulConfig{
 		structs.ConsulDefaultCluster: {
-			Name:                 structs.ConsulDefaultCluster,
-			ServerServiceName:    "nomad",
-			ServerHTTPCheckName:  "nomad-server-http-health-check",
-			ServerSerfCheckName:  "nomad-server-serf-health-check",
-			ServerRPCCheckName:   "nomad-server-rpc-health-check",
-			ClientServiceName:    "nomad-client",
-			ClientHTTPCheckName:  "nomad-client-http-health-check",
-			Addr:                 "127.0.0.1:9500",
-			AllowUnauthenticated: &trueValue,
-			Token:                "token1",
-			Auth:                 "username:pass",
-			EnableSSL:            &trueValue,
-			VerifySSL:            &trueValue,
-			CAFile:               "/path/to/ca/file",
-			CertFile:             "/path/to/cert/file",
-			KeyFile:              "/path/to/key/file",
-			ServerAutoJoin:       &trueValue,
-			ClientAutoJoin:       &trueValue,
-			AutoAdvertise:        &trueValue,
-			ChecksUseAdvertise:   &trueValue,
-			Timeout:              5 * time.Second,
-			TimeoutHCL:           "5s",
-			UseIdentity:          &trueValue,
+			Name:                      structs.ConsulDefaultCluster,
+			ServerServiceName:         "nomad",
+			ServerHTTPCheckName:       "nomad-server-http-health-check",
+			ServerSerfCheckName:       "nomad-server-serf-health-check",
+			ServerRPCCheckName:        "nomad-server-rpc-health-check",
+			ClientServiceName:         "nomad-client",
+			ClientHTTPCheckName:       "nomad-client-http-health-check",
+			Addr:                      "127.0.0.1:9500",
+			AllowUnauthenticated:      &trueValue,
+			Token:                     "token1",
+			Auth:                      "username:pass",
+			EnableSSL:                 &trueValue,
+			VerifySSL:                 &trueValue,
+			CAFile:                    "/path/to/ca/file",
+			CertFile:                  "/path/to/cert/file",
+			KeyFile:                   "/path/to/key/file",
+			ServerAutoJoin:            &trueValue,
+			ClientAutoJoin:            &trueValue,
+			AutoAdvertise:             &trueValue,
+			ChecksUseAdvertise:        &trueValue,
+			Timeout:                   5 * time.Second,
+			TimeoutHCL:                "5s",
+			ServiceIdentityAuthMethod: "nomad-workloads",
 			ServiceIdentity: &config.WorkloadIdentityConfig{
 				Audience: []string{"consul.io", "nomad.dev"},
 				Env:      pointer.Of(false),
@@ -283,6 +284,7 @@ var basicConfig = &Config{
 				TTL:      pointer.Of(1 * time.Hour),
 				TTLHCL:   "1h",
 			},
+			TaskIdentityAuthMethod: "nomad-tasks",
 			TaskIdentity: &config.WorkloadIdentityConfig{
 				Audience: []string{"consul.io"},
 				Env:      pointer.Of(true),
--- a/command/agent/job_endpoint_test.go
+++ b/command/agent/job_endpoint_test.go
@@ -787,16 +787,16 @@ func TestHTTP_JobUpdate_EvalPriority(t *testing.T) {

 				// Make the HTTP request
 				req, err := http.NewRequest(http.MethodPut, "/v1/job/"+*job.ID, buf)
-				assert.Nil(t, err)
+				must.NoError(t, err)
 				respW := httptest.NewRecorder()

 				// Make the request
 				obj, err := s.Server.JobSpecificRequest(respW, req)
 				if tc.expectedError {
-					assert.NotNil(t, err)
+					must.Error(t, err)
 					return
 				} else {
-					assert.Nil(t, err)
+					must.NoError(t, err)
 				}

 				// Check the response
@@ -813,7 +813,7 @@ func TestHTTP_JobUpdate_EvalPriority(t *testing.T) {
 					},
 				}
 				var getResp structs.SingleJobResponse
-				assert.Nil(t, s.Agent.RPC("Job.GetJob", &getReq, &getResp))
+				must.NoError(t, s.Agent.RPC("Job.GetJob", &getReq, &getResp))
 				assert.NotNil(t, getResp.Job)

 				// Check the evaluation that resulted from the job register.
--- a/command/agent/testdata/basic.hcl
+++ b/command/agent/testdata/basic.hcl
@@ -245,13 +245,16 @@ consul {
  auto_advertise         = true
  checks_use_advertise   = true
  timeout                = "5s"
-  use_identity           = true
+  service_auth_method    = "nomad-workloads"
+  task_auth_method       = "nomad-tasks"
+
  service_identity {
    aud  = ["consul.io", "nomad.dev"]
    env  = false
    file = true
    ttl  = "1h"
  }
+
  task_identity {
    aud  = ["consul.io"]
    env  = true
--- a/command/agent/testdata/basic.json
+++ b/command/agent/testdata/basic.json
@@ -167,6 +167,9 @@
      "server_rpc_check_name": "nomad-server-rpc-health-check",
      "server_serf_check_name": "nomad-server-serf-health-check",
      "server_service_name": "nomad",
+      "service_auth_method": "nomad-workloads",
+      "task_auth_method": "nomad-tasks",
+
      "service_identity": {
        "aud": [
          "consul.io",
@@ -187,7 +190,6 @@
      },
      "timeout": "5s",
      "token": "token1",
-      "use_identity": true,
      "verify_ssl": true
    }
  ],