Consul: agent config updates for WI (#18774)

This changeset makes two changes: * Removes the `consul.use_identity` field from the agent configuration. This behavior is properly covered by the presence of `consul.service_identity` / `consul.task_identity` blocks. * Adds a `consul.task_auth_method` and `consul.service_auth_method` fields to the agent configuration. This allows the cluster administrator to choose specific Consul Auth Method names for their environment, with a reasonable default.
2026-01-06 18:35:44 +03:00 · 2023-10-17 14:42:14 -04:00
parent ac56855f07
commit d0957eb109
16 changed files with 185 additions and 289 deletions
--- a/command/agent/config_parse_test.go
+++ b/command/agent/config_parse_test.go
@@ -213,29 +213,29 @@ var basicConfig = &Config{
 	DisableUpdateCheck:        pointer.Of(true),
 	DisableAnonymousSignature: true,
 	Consul: &config.ConsulConfig{
-		Name:                 structs.ConsulDefaultCluster,
-		ServerServiceName:    "nomad",
-		ServerHTTPCheckName:  "nomad-server-http-health-check",
-		ServerSerfCheckName:  "nomad-server-serf-health-check",
-		ServerRPCCheckName:   "nomad-server-rpc-health-check",
-		ClientServiceName:    "nomad-client",
-		ClientHTTPCheckName:  "nomad-client-http-health-check",
-		Addr:                 "127.0.0.1:9500",
-		AllowUnauthenticated: &trueValue,
-		Token:                "token1",
-		Auth:                 "username:pass",
-		EnableSSL:            &trueValue,
-		VerifySSL:            &trueValue,
-		CAFile:               "/path/to/ca/file",
-		CertFile:             "/path/to/cert/file",
-		KeyFile:              "/path/to/key/file",
-		ServerAutoJoin:       &trueValue,
-		ClientAutoJoin:       &trueValue,
-		AutoAdvertise:        &trueValue,
-		ChecksUseAdvertise:   &trueValue,
-		Timeout:              5 * time.Second,
-		TimeoutHCL:           "5s",
-		UseIdentity:          &trueValue,
+		Name:                      structs.ConsulDefaultCluster,
+		ServerServiceName:         "nomad",
+		ServerHTTPCheckName:       "nomad-server-http-health-check",
+		ServerSerfCheckName:       "nomad-server-serf-health-check",
+		ServerRPCCheckName:        "nomad-server-rpc-health-check",
+		ClientServiceName:         "nomad-client",
+		ClientHTTPCheckName:       "nomad-client-http-health-check",
+		Addr:                      "127.0.0.1:9500",
+		AllowUnauthenticated:      &trueValue,
+		Token:                     "token1",
+		Auth:                      "username:pass",
+		EnableSSL:                 &trueValue,
+		VerifySSL:                 &trueValue,
+		CAFile:                    "/path/to/ca/file",
+		CertFile:                  "/path/to/cert/file",
+		KeyFile:                   "/path/to/key/file",
+		ServerAutoJoin:            &trueValue,
+		ClientAutoJoin:            &trueValue,
+		AutoAdvertise:             &trueValue,
+		ChecksUseAdvertise:        &trueValue,
+		Timeout:                   5 * time.Second,
+		TimeoutHCL:                "5s",
+		ServiceIdentityAuthMethod: "nomad-workloads",
 		ServiceIdentity: &config.WorkloadIdentityConfig{
 			Audience: []string{"consul.io", "nomad.dev"},
 			Env:      pointer.Of(false),
@@ -243,6 +243,7 @@ var basicConfig = &Config{
 			TTL:      pointer.Of(1 * time.Hour),
 			TTLHCL:   "1h",
 		},
+		TaskIdentityAuthMethod: "nomad-tasks",
 		TaskIdentity: &config.WorkloadIdentityConfig{
 			Audience: []string{"consul.io"},
 			Env:      pointer.Of(true),
@@ -253,29 +254,29 @@ var basicConfig = &Config{
 	},
 	Consuls: map[string]*config.ConsulConfig{
 		structs.ConsulDefaultCluster: {
-			Name:                 structs.ConsulDefaultCluster,
-			ServerServiceName:    "nomad",
-			ServerHTTPCheckName:  "nomad-server-http-health-check",
-			ServerSerfCheckName:  "nomad-server-serf-health-check",
-			ServerRPCCheckName:   "nomad-server-rpc-health-check",
-			ClientServiceName:    "nomad-client",
-			ClientHTTPCheckName:  "nomad-client-http-health-check",
-			Addr:                 "127.0.0.1:9500",
-			AllowUnauthenticated: &trueValue,
-			Token:                "token1",
-			Auth:                 "username:pass",
-			EnableSSL:            &trueValue,
-			VerifySSL:            &trueValue,
-			CAFile:               "/path/to/ca/file",
-			CertFile:             "/path/to/cert/file",
-			KeyFile:              "/path/to/key/file",
-			ServerAutoJoin:       &trueValue,
-			ClientAutoJoin:       &trueValue,
-			AutoAdvertise:        &trueValue,
-			ChecksUseAdvertise:   &trueValue,
-			Timeout:              5 * time.Second,
-			TimeoutHCL:           "5s",
-			UseIdentity:          &trueValue,
+			Name:                      structs.ConsulDefaultCluster,
+			ServerServiceName:         "nomad",
+			ServerHTTPCheckName:       "nomad-server-http-health-check",
+			ServerSerfCheckName:       "nomad-server-serf-health-check",
+			ServerRPCCheckName:        "nomad-server-rpc-health-check",
+			ClientServiceName:         "nomad-client",
+			ClientHTTPCheckName:       "nomad-client-http-health-check",
+			Addr:                      "127.0.0.1:9500",
+			AllowUnauthenticated:      &trueValue,
+			Token:                     "token1",
+			Auth:                      "username:pass",
+			EnableSSL:                 &trueValue,
+			VerifySSL:                 &trueValue,
+			CAFile:                    "/path/to/ca/file",
+			CertFile:                  "/path/to/cert/file",
+			KeyFile:                   "/path/to/key/file",
+			ServerAutoJoin:            &trueValue,
+			ClientAutoJoin:            &trueValue,
+			AutoAdvertise:             &trueValue,
+			ChecksUseAdvertise:        &trueValue,
+			Timeout:                   5 * time.Second,
+			TimeoutHCL:                "5s",
+			ServiceIdentityAuthMethod: "nomad-workloads",
 			ServiceIdentity: &config.WorkloadIdentityConfig{
 				Audience: []string{"consul.io", "nomad.dev"},
 				Env:      pointer.Of(false),
@@ -283,6 +284,7 @@ var basicConfig = &Config{
 				TTL:      pointer.Of(1 * time.Hour),
 				TTLHCL:   "1h",
 			},
+			TaskIdentityAuthMethod: "nomad-tasks",
 			TaskIdentity: &config.WorkloadIdentityConfig{
 				Audience: []string{"consul.io"},
 				Env:      pointer.Of(true),