status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[NET-6251] Nomad client templated policy (#19827)

This commit is contained in:
Ronald 2023-12-06 10:32:12 -05:00 committed by GitHub
parent 334de1460c
commit dc02fa695f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 67 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/19827.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:feature
acl: Adds nomad client templated policy
```

2
agent/acl_endpoint_test.go
View File

@ -1407,7 +1407,7 @@ func TestACL_HTTP(t *testing.T) {
var list map[string]api.ACLTemplatedPolicyResponse var list map[string]api.ACLTemplatedPolicyResponse
require.NoError(t, json.NewDecoder(resp.Body).Decode(&list)) require.NoError(t, json.NewDecoder(resp.Body).Decode(&list))
require.Len(t, list, 6) require.Len(t, list, 7)
require.Equal(t, api.ACLTemplatedPolicyResponse{ require.Equal(t, api.ACLTemplatedPolicyResponse{
TemplateName: api.ACLTemplatedPolicyServiceName, TemplateName: api.ACLTemplatedPolicyServiceName,

9
agent/structs/acl_templated_policy.go
View File

@ -41,6 +41,7 @@ const (
ACLTemplatedPolicyNomadServerID = "00000000-0000-0000-0000-000000000006" ACLTemplatedPolicyNomadServerID = "00000000-0000-0000-0000-000000000006"
ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007" ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007"
ACLTemplatedPolicyAPIGatewayID = "00000000-0000-0000-0000-000000000008" ACLTemplatedPolicyAPIGatewayID = "00000000-0000-0000-0000-000000000008"
ACLTemplatedPolicyNomadClientID = "00000000-0000-0000-0000-000000000009"
ACLTemplatedPolicyServiceDescription = "Gives the token or role permissions to register a service and discover services in the Consul catalog. It also gives the specified service's sidecar proxy the permission to discover and route traffic to other services." ACLTemplatedPolicyServiceDescription = "Gives the token or role permissions to register a service and discover services in the Consul catalog. It also gives the specified service's sidecar proxy the permission to discover and route traffic to other services."
ACLTemplatedPolicyNodeDescription = "Gives the token or role permissions for a register an agent/node into the catalog. A node is typically a consul agent but can also be a physical server, cloud instance or a container." ACLTemplatedPolicyNodeDescription = "Gives the token or role permissions for a register an agent/node into the catalog. A node is typically a consul agent but can also be a physical server, cloud instance or a container."
@ -48,6 +49,7 @@ const (
ACLTemplatedPolicyNomadServerDescription = "Gives the token or role permissions required for integration with a nomad server." ACLTemplatedPolicyNomadServerDescription = "Gives the token or role permissions required for integration with a nomad server."
ACLTemplatedPolicyWorkloadIdentityDescription = "Gives the token or role permissions for a specific workload identity." ACLTemplatedPolicyWorkloadIdentityDescription = "Gives the token or role permissions for a specific workload identity."
ACLTemplatedPolicyAPIGatewayDescription = "Gives the token or role permissions for a Consul api gateway" ACLTemplatedPolicyAPIGatewayDescription = "Gives the token or role permissions for a Consul api gateway"
ACLTemplatedPolicyNomadClientDescription = "Gives the token or role permissions required for integration with a nomad client."
ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema
) )
@ -108,6 +110,13 @@ var (
Template: ACLTemplatedPolicyAPIGateway, Template: ACLTemplatedPolicyAPIGateway,
Description: ACLTemplatedPolicyAPIGatewayDescription, Description: ACLTemplatedPolicyAPIGatewayDescription,
}, },
api.ACLTemplatedPolicyNomadClientName: {
TemplateID: ACLTemplatedPolicyNomadClientID,
TemplateName: api.ACLTemplatedPolicyNomadClientName,
Schema: ACLTemplatedPolicyNoRequiredVariablesSchema,
Template: ACLTemplatedPolicyNomadClient,
Description: ACLTemplatedPolicyNomadClientDescription,
},
} }
) )

3
agent/structs/acl_templated_policy_ce.go
View File

@ -25,6 +25,9 @@ var ACLTemplatedPolicyWorkloadIdentity string
//go:embed acltemplatedpolicy/policies/ce/api-gateway.hcl //go:embed acltemplatedpolicy/policies/ce/api-gateway.hcl
var ACLTemplatedPolicyAPIGateway string var ACLTemplatedPolicyAPIGateway string
//go:embed acltemplatedpolicy/policies/ce/nomad-client.hcl
var ACLTemplatedPolicyNomadClient string
func (t *ACLToken) TemplatedPolicyList() []*ACLTemplatedPolicy { func (t *ACLToken) TemplatedPolicyList() []*ACLTemplatedPolicy {
if len(t.TemplatedPolicies) == 0 { if len(t.TemplatedPolicies) == 0 {
return nil return nil

12
agent/structs/acltemplatedpolicy/policies/ce/nomad-client.hcl Normal file
View File

@ -0,0 +1,12 @@
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "read"
}

1
api/acl.go
View File

@ -27,6 +27,7 @@ const (
ACLTemplatedPolicyNomadServerName = "builtin/nomad-server" ACLTemplatedPolicyNomadServerName = "builtin/nomad-server"
ACLTemplatedPolicyWorkloadIdentityName = "builtin/workload-identity" ACLTemplatedPolicyWorkloadIdentityName = "builtin/workload-identity"
ACLTemplatedPolicyAPIGatewayName = "builtin/api-gateway" ACLTemplatedPolicyAPIGatewayName = "builtin/api-gateway"
ACLTemplatedPolicyNomadClientName = "builtin/nomad-client"
) )
type ACLLink struct { type ACLLink struct {

2
command/acl/templatedpolicy/formatter.go
View File

@ -77,7 +77,7 @@ func (f *prettyFormatter) FormatTemplatedPolicy(templatedPolicy api.ACLTemplated
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The workload name", "api") nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The workload name", "api")
case api.ACLTemplatedPolicyAPIGatewayName: case api.ACLTemplatedPolicyAPIGatewayName:
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The api gateway service name", "api-gateway") nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The api gateway service name", "api-gateway")
case api.ACLTemplatedPolicyDNSName, api.ACLTemplatedPolicyNomadServerName: case api.ACLTemplatedPolicyDNSName, api.ACLTemplatedPolicyNomadServerName, api.ACLTemplatedPolicyNomadClientName:
noRequiredVariablesOutput(&buffer, templatedPolicy.TemplateName) noRequiredVariablesOutput(&buffer, templatedPolicy.TemplateName)
default: default:
buffer.WriteString(" None\n") buffer.WriteString(" None\n")

8
command/acl/templatedpolicy/formatter_test.go
View File

@ -64,6 +64,14 @@ func testFormatTemplatedPolicy(t *testing.T, dirPath string) {
Description: structs.ACLTemplatedPolicyNomadServerDescription, Description: structs.ACLTemplatedPolicyNomadServerDescription,
}, },
}, },
"nomad-client-templated-policy": {
templatedPolicy: api.ACLTemplatedPolicyResponse{
TemplateName: api.ACLTemplatedPolicyNomadClientName,
Schema: structs.ACLTemplatedPolicyNoRequiredVariablesSchema,
Template: structs.ACLTemplatedPolicyNomadClient,
Description: structs.ACLTemplatedPolicyNomadClientDescription,
},
},
} }
formatters := map[string]Formatter{ formatters := map[string]Formatter{

6
command/acl/templatedpolicy/testdata/FormatTemplatedPolicy/ce/nomad-client-templated-policy.json.golden vendored Normal file
View File

@ -0,0 +1,6 @@
{
"TemplateName": "builtin/nomad-client",
"Schema": "",
"Template": "agent_prefix \"\" {\n policy = \"read\"\n}\nnode_prefix \"\" {\n policy = \"read\"\n}\nservice_prefix \"\" {\n policy = \"write\"\n}\nkey_prefix \"\" {\n policy = \"read\"\n}",
"Description": "Gives the token or role permissions required for integration with a nomad client."
}

18
command/acl/templatedpolicy/testdata/FormatTemplatedPolicy/ce/nomad-client-templated-policy.pretty-meta.golden vendored Normal file
View File

@ -0,0 +1,18 @@
Name: builtin/nomad-client
Description: Gives the token or role permissions required for integration with a nomad client.
Input variables: None
Example usage:
consul acl token create -templated-policy builtin/nomad-client
Raw Template:
agent_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "read"
}

5
command/acl/templatedpolicy/testdata/FormatTemplatedPolicy/ce/nomad-client-templated-policy.pretty.golden vendored Normal file
View File

@ -0,0 +1,5 @@
Name: builtin/nomad-client
Description: Gives the token or role permissions required for integration with a nomad client.
Input variables: None
Example usage:
consul acl token create -templated-policy builtin/nomad-client