mirror of
https://github.com/kemko/nomad.git
synced 2026-01-06 18:35:44 +03:00
cf25cf5cd5
Our `consulcompat` tests exercise both the Workload Identity and legacy Consul token workflow, but they are limited to running single node tests. The E2E cluster is network isolated, so using our HCP Consul cluster runs into a problem validating WI tokens because it can't reach the JWKS endpoint. In real production environments, you'd solve this with a CNAME pointing to a public IP pointing to a proxy with a real domain name. But that's logisitcally impractical for our ephemeral nightly cluster. Migrate the HCP Consul to a single-node Consul cluster on AWS EC2 alongside our Nomad cluster. Bootstrap TLS and ACLs in Terraform and ensure all nodes can reach each other. This will allow us to update our Consul tests so they can use Workload Identity, in a separate PR. Ref: #19698
35 lines
961 B
HCL
35 lines
961 B
HCL
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
// The Nomad Client will be registering things into its buddy Consul Client.
|
|
// Note: because we also test the use of Consul namespaces, this token must be
|
|
// able to register services, read the keystore, and read node data for any
|
|
// namespace.
|
|
// The operator=write permission is required for creating config entries for
|
|
// connect ingress gateways. operator ACLs are not namespaced, though the
|
|
// config entries they can generate are.
|
|
operator = "write"
|
|
|
|
agent_prefix "" {
|
|
policy = "read"
|
|
}
|
|
|
|
namespace_prefix "" {
|
|
// The acl=write permission is required for generating Consul Service Identity
|
|
// tokens for consul connect services. Those services could be configured for
|
|
// any Consul namespace the job-submitter has access to.
|
|
acl = "write"
|
|
|
|
key_prefix "" {
|
|
policy = "read"
|
|
}
|
|
|
|
node_prefix "" {
|
|
policy = "read"
|
|
}
|
|
|
|
service_prefix "" {
|
|
policy = "write"
|
|
}
|
|
}
|