Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update controller to cleanup tokens from auth method #82

Merged
merged 5 commits into from
May 12, 2022
Merged

Update controller to cleanup tokens from auth method #82

merged 5 commits into from
May 12, 2022

Conversation

pglass
Copy link

@pglass pglass commented May 9, 2022
edited
Loading

Changes proposed in this PR:

This updates the ACL controller to cleanup tokens created by the auth method. The controller's reconcile operation now tracks tasks by task id. It parses the JSON formatted metadata from each ACL token description to determine the task id which created the token. Tokens for which there is no longer an ECS task running are deleted.

This PR also removes the controller's "old" behavior of managing tokens based on service names. The controller no longer creates any tokens, and is only responsible for cleaning up tokens created from a consul login command.

In order for the controller to cleanup a token, the token must have been created with metadata when running the consul login command, which indicates the task id and cluster:

consul login \
    -meta consul.hashicorp.com/task-id=123456 \
    -meta consul.hashicorp.com/cluster=<clusterARN> \
   ...

When the token is created, the metadata is placed in the token description as a JSON string:

AccessorID:       00000000-0000-c962-66c1-d6a3345df4f9
SecretID:         00000000-0000-2663-f30a-e76300fdae8e
Partition:        default
Namespace:        test-ns
Description:      token created via login: {"consul.hashicorp.com/cluster":"<clusterARN>","consul.hashicorp.com/task-id":"123456"}
...

This updates the controller to consistently use the full cluster ARN. The task metadata has a Cluster field, which is the cluster ARN on Fargate but is only the cluster name on EC2.

How I've tested this PR:

How I expect reviewers to test this PR:

Checklist:

  • Tests added
  • CHANGELOG entry added

@pglass pglass requested review from a team and erichaberkorn and removed request for a team May 9, 2022 17:32
@pglass pglass mentioned this pull request May 10, 2022
Merged
3 tasks
erichaberkorn
erichaberkorn reviewed May 11, 2022
View reviewed changes
CHANGELOG.md Outdated
@@ -19,6 +19,9 @@ FEATURES
* Update `acl-controller` to configure Consul's AWS IAM auth method at startup.
Add `-iam-role-path` flag to specify the path of IAM roles permitted to login.
[[GH-71](https://github.com/hashicorp/consul-ecs/pull/71)]
* Update `acl-controller` to cleanup ACL tokens created from Consul's AWS IAM auth method. Remove
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ends up being a breaking change, doesn't it?

@pglass pglass merged commit 4e62af5 into main May 12, 2022
@pglass pglass deleted the pglass/token-cleanup branch May 12, 2022 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erichaberkorn erichaberkorn erichaberkorn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pglass @erichaberkorn