Skip to content

Commit

Permalink
Enable ACL Client Token (#1093)
Browse files Browse the repository at this point in the history
* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.
  • Loading branch information
jmurret committed Mar 30, 2022
1 parent 8eb9902 commit 0f8b079
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions control-plane/subcommand/common/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ func ConsulLogin(client *api.Client, params LoginParams, log hclog.Logger) (stri
log.Info("Checking that the ACL token exists when reading it in the stale consistency mode")
// Use raft timeout and polling interval to determine the number of retries.
numTokenReadRetries := uint64(raftReplicationTimeout.Milliseconds() / tokenReadPollingInterval.Milliseconds())
var aclLoginToken *api.ACLToken
err = backoff.Retry(func() error {
_, _, err = client.ACL().TokenReadSelf(&api.QueryOptions{AllowStale: true, Token: token.SecretID})
if err != nil {
Expand Down

0 comments on commit 0f8b079

Please sign in to comment.