mirror of
https://github.com/kemko/nomad.git
synced 2026-01-06 10:25:42 +03:00
c7c3b3ae33
Add a `Postrun` and `Destroy` hook to the allocrunner's `consul_hook` to ensure that Consul tokens we've created via WI get revoked via the logout API when we're done with them. Also add the logout to the `Prerun` hook if we've hit an error.
79 lines
2.2 KiB
Go
79 lines
2.2 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package taskrunner
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"slices"
|
|
|
|
log "github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/go-multierror"
|
|
"github.com/hashicorp/nomad/client/allocrunner/interfaces"
|
|
cstructs "github.com/hashicorp/nomad/client/structs"
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
)
|
|
|
|
const (
|
|
// consulTokenFilePrefix is the begging of the name of the file holding the
|
|
// Consul SI token inside the task's secret directory. Full name of the file is
|
|
// always consulTokenFilePrefix_identityName
|
|
consulTokenFilePrefix = "nomad_consul"
|
|
|
|
// consulTokenFilePerms is the level of file permissions granted on the file in
|
|
// the secrets directory for the task
|
|
consulTokenFilePerms = 0440
|
|
)
|
|
|
|
type consulHook struct {
|
|
task *structs.Task
|
|
tokenDir string
|
|
hookResources *cstructs.AllocHookResources
|
|
logger log.Logger
|
|
}
|
|
|
|
func newConsulHook(logger log.Logger, tr *TaskRunner, hookResources *cstructs.AllocHookResources) *consulHook {
|
|
h := &consulHook{
|
|
task: tr.Task(),
|
|
tokenDir: tr.taskDir.SecretsDir,
|
|
hookResources: hookResources,
|
|
}
|
|
h.logger = logger.Named(h.Name())
|
|
return h
|
|
}
|
|
|
|
func (*consulHook) Name() string {
|
|
return "consul_task"
|
|
}
|
|
|
|
func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest, *interfaces.TaskPrestartResponse) error {
|
|
mErr := multierror.Error{}
|
|
|
|
tokens := h.hookResources.GetConsulTokens()
|
|
|
|
// Write tokens to tasks' secret dirs
|
|
for cluster, t := range tokens {
|
|
for identity, token := range t {
|
|
// do not write tokens that do not belong to any of this task's
|
|
// identities
|
|
if !slices.ContainsFunc(
|
|
h.task.Identities,
|
|
func(id *structs.WorkloadIdentity) bool { return id.Name == identity }) &&
|
|
identity != h.task.Identity.Name {
|
|
continue
|
|
}
|
|
|
|
filename := fmt.Sprintf("%s_%s_%s", consulTokenFilePrefix, cluster, identity)
|
|
tokenPath := filepath.Join(h.tokenDir, filename)
|
|
if err := os.WriteFile(tokenPath, []byte(token.SecretID), consulTokenFilePerms); err != nil {
|
|
mErr.Errors = append(mErr.Errors, fmt.Errorf("failed to write Consul SI token: %w", err))
|
|
}
|
|
}
|
|
}
|
|
|
|
return mErr.ErrorOrNil()
|
|
}
|