command, docs: create and document consul token configuration for con…

…nect acls (gh-6716)

This change provides an initial pass at setting up the configuration necessary to
enable use of Connect with Consul ACLs. Operators will be able to pass in a Consul
Token through `-consul-token` or `$CONSUL_TOKEN` in the `job run` and `job revert`
commands (similar to Vault tokens).

These values are not actually used yet in this changeset.

api/jobs.go

@@ -336,14 +336,15 @@ func (j *Jobs) Dispatch(jobID string, meta map[string]string,
 // enforceVersion is set, the job is only reverted if the current version is at
 // the passed version.
 func (j *Jobs) Revert(jobID string, version uint64, enforcePriorVersion *uint64,
-	q *WriteOptions, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) {
+	q *WriteOptions, consulToken, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) {
 
 	var resp JobRegisterResponse
 	req := &JobRevertRequest{
 		JobID:               jobID,
 		JobVersion:          version,
 		EnforcePriorVersion: enforcePriorVersion,
-		VaultToken:          vaultToken,
+		// ConsulToken:         consulToken, // TODO(shoenig) enable!
+		VaultToken: vaultToken,
 	}
 	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/revert", req, &resp, q)
 	if err != nil {
@@ -670,6 +671,7 @@ type Job struct {
 	Reschedule        *ReschedulePolicy
 	Migrate           *MigrateStrategy
 	Meta              map[string]string
+	ConsulToken       *string `mapstructure:"consul_token"`
 	VaultToken        *string `mapstructure:"vault_token"`
 	Status            *string
 	StatusDescription *string
@@ -722,6 +724,9 @@ func (j *Job) Canonicalize() {
 	if j.AllAtOnce == nil {
 		j.AllAtOnce = boolToPtr(false)
 	}
+	if j.ConsulToken == nil {
+		j.ConsulToken = stringToPtr("")
+	}
 	if j.VaultToken == nil {
 		j.VaultToken = stringToPtr("")
 	}
@@ -966,6 +971,12 @@ type JobRevertRequest struct {
 	// version before reverting.
 	EnforcePriorVersion *uint64
 
+	// ConsulToken is the Consul token that proves the submitter of the job revert
+	// has access to the Service Identity policies associated with the job's
+	// Consul Connect enabled services. This field is only used to transfer the
+	// token and is not stored after the Job revert.
+	ConsulToken string `json:",omitempty"`
+
 	// VaultToken is the Vault token that proves the submitter of the job revert
 	// has access to any Vault policies specified in the targeted job version. This
 	// field is only used to authorize the revert and is not stored after the Job

api/jobs_test.go

@@ -99,6 +99,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				ParentID:          stringToPtr(""),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Status:            stringToPtr(""),
 				StatusDescription: stringToPtr(""),
@@ -186,6 +187,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				ParentID:          stringToPtr(""),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Status:            stringToPtr(""),
 				StatusDescription: stringToPtr(""),
@@ -256,6 +258,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				ParentID:          stringToPtr("lol"),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Stop:              boolToPtr(false),
 				Stable:            boolToPtr(false),
@@ -416,6 +419,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				Region:            stringToPtr("global"),
 				Type:              stringToPtr("service"),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Stop:              boolToPtr(false),
 				Stable:            boolToPtr(false),
@@ -566,6 +570,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				Type:              stringToPtr("service"),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Stop:              boolToPtr(false),
 				Stable:            boolToPtr(false),
@@ -650,6 +655,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				ParentID:          stringToPtr("lol"),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Stop:              boolToPtr(false),
 				Stable:            boolToPtr(false),
@@ -846,13 +852,13 @@ func TestJobs_Revert(t *testing.T) {
 	assertWriteMeta(t, wm)
 
 	// Fail revert at incorrect enforce
-	_, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil, "")
+	_, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil, "", "")
 	if err == nil || !strings.Contains(err.Error(), "enforcing version") {
 		t.Fatalf("expected enforcement error: %v", err)
 	}
 
 	// Works at correct index
-	revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil, "")
+	revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil, "", "")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}

command/agent/command.go

@@ -155,6 +155,10 @@ func (c *Command) readConfig() *Config {
 		return nil
 	}), "consul-verify-ssl", "")
 	flags.StringVar(&cmdConfig.Consul.Addr, "consul-address", "", "")
+	flags.Var((flaghelper.FuncBoolVar)(func(b bool) error {
+		cmdConfig.Consul.AllowUnauthenticated = &b
+		return nil
+	}), "consul-allow-unauthenticated", "")
 
 	// Vault options
 	flags.Var((flaghelper.FuncBoolVar)(func(b bool) error {
@@ -560,6 +564,7 @@ func (c *Command) AutocompleteFlags() complete.Flags {
 		"-consul-ssl":                    complete.PredictNothing,
 		"-consul-verify-ssl":             complete.PredictNothing,
 		"-consul-address":                complete.PredictAnything,
+		"-consul-token":                  complete.PredictAnything,
 		"-vault-enabled":                 complete.PredictNothing,
 		"-vault-allow-unauthenticated":   complete.PredictNothing,
 		"-vault-token":                   complete.PredictAnything,

command/agent/config_parse_test.go

@@ -151,25 +151,26 @@ var basicConfig = &Config{
 	DisableUpdateCheck:        helper.BoolToPtr(true),
 	DisableAnonymousSignature: true,
 	Consul: &config.ConsulConfig{
-		ServerServiceName:   "nomad",
-		ServerHTTPCheckName: "nomad-server-http-health-check",
-		ServerSerfCheckName: "nomad-server-serf-health-check",
-		ServerRPCCheckName:  "nomad-server-rpc-health-check",
-		ClientServiceName:   "nomad-client",
-		ClientHTTPCheckName: "nomad-client-http-health-check",
-		Addr:                "127.0.0.1:9500",
-		Token:               "token1",
-		Auth:                "username:pass",
-		EnableSSL:           &trueValue,
-		VerifySSL:           &trueValue,
-		CAFile:              "/path/to/ca/file",
-		CertFile:            "/path/to/cert/file",
-		KeyFile:             "/path/to/key/file",
-		ServerAutoJoin:      &trueValue,
-		ClientAutoJoin:      &trueValue,
-		AutoAdvertise:       &trueValue,
-		ChecksUseAdvertise:  &trueValue,
-		Timeout:             5 * time.Second,
+		ServerServiceName:    "nomad",
+		ServerHTTPCheckName:  "nomad-server-http-health-check",
+		ServerSerfCheckName:  "nomad-server-serf-health-check",
+		ServerRPCCheckName:   "nomad-server-rpc-health-check",
+		ClientServiceName:    "nomad-client",
+		ClientHTTPCheckName:  "nomad-client-http-health-check",
+		Addr:                 "127.0.0.1:9500",
+		AllowUnauthenticated: &trueValue,
+		Token:                "token1",
+		Auth:                 "username:pass",
+		EnableSSL:            &trueValue,
+		VerifySSL:            &trueValue,
+		CAFile:               "/path/to/ca/file",
+		CertFile:             "/path/to/cert/file",
+		KeyFile:              "/path/to/key/file",
+		ServerAutoJoin:       &trueValue,
+		ClientAutoJoin:       &trueValue,
+		AutoAdvertise:        &trueValue,
+		ChecksUseAdvertise:   &trueValue,
+		Timeout:              5 * time.Second,
 	},
 	Vault: &config.VaultConfig{
 		Addr:                 "127.0.0.1:9500",

command/agent/config_test.go

@@ -159,21 +159,22 @@ func TestConfig_Merge(t *testing.T) {
 			TLSServerName:        "1",
 		},
 		Consul: &config.ConsulConfig{
-			ServerServiceName:  "1",
-			ClientServiceName:  "1",
-			AutoAdvertise:      &falseValue,
-			Addr:               "1",
-			Timeout:            1 * time.Second,
-			Token:              "1",
-			Auth:               "1",
-			EnableSSL:          &falseValue,
-			VerifySSL:          &falseValue,
-			CAFile:             "1",
-			CertFile:           "1",
-			KeyFile:            "1",
-			ServerAutoJoin:     &falseValue,
-			ClientAutoJoin:     &falseValue,
-			ChecksUseAdvertise: &falseValue,
+			ServerServiceName:    "1",
+			ClientServiceName:    "1",
+			AutoAdvertise:        &falseValue,
+			Addr:                 "1",
+			AllowUnauthenticated: &falseValue,
+			Timeout:              1 * time.Second,
+			Token:                "1",
+			Auth:                 "1",
+			EnableSSL:            &falseValue,
+			VerifySSL:            &falseValue,
+			CAFile:               "1",
+			CertFile:             "1",
+			KeyFile:              "1",
+			ServerAutoJoin:       &falseValue,
+			ClientAutoJoin:       &falseValue,
+			ChecksUseAdvertise:   &falseValue,
 		},
 		Autopilot: &config.AutopilotConfig{
 			CleanupDeadServers:      &falseValue,
@@ -333,21 +334,22 @@ func TestConfig_Merge(t *testing.T) {
 			TLSServerName:        "2",
 		},
 		Consul: &config.ConsulConfig{
-			ServerServiceName:  "2",
-			ClientServiceName:  "2",
-			AutoAdvertise:      &trueValue,
-			Addr:               "2",
-			Timeout:            2 * time.Second,
-			Token:              "2",
-			Auth:               "2",
-			EnableSSL:          &trueValue,
-			VerifySSL:          &trueValue,
-			CAFile:             "2",
-			CertFile:           "2",
-			KeyFile:            "2",
-			ServerAutoJoin:     &trueValue,
-			ClientAutoJoin:     &trueValue,
-			ChecksUseAdvertise: &trueValue,
+			ServerServiceName:    "2",
+			ClientServiceName:    "2",
+			AutoAdvertise:        &trueValue,
+			Addr:                 "2",
+			AllowUnauthenticated: &trueValue,
+			Timeout:              2 * time.Second,
+			Token:                "2",
+			Auth:                 "2",
+			EnableSSL:            &trueValue,
+			VerifySSL:            &trueValue,
+			CAFile:               "2",
+			CertFile:             "2",
+			KeyFile:              "2",
+			ServerAutoJoin:       &trueValue,
+			ClientAutoJoin:       &trueValue,
+			ChecksUseAdvertise:   &trueValue,
 		},
 		Sentinel: &config.SentinelConfig{
 			Imports: []*config.SentinelImport{

command/agent/job_endpoint.go

@@ -633,6 +633,7 @@ func ApiJobToStructJob(job *api.Job) *structs.Job {
 		Datacenters: job.Datacenters,
 		Payload:     job.Payload,
 		Meta:        job.Meta,
+		ConsulToken: *job.ConsulToken,
 		VaultToken:  *job.VaultToken,
 		Constraints: ApiConstraintsToStructs(job.Constraints),
 		Affinities:  ApiAffinitiesToStructs(job.Affinities),

command/agent/job_endpoint_test.go

@@ -1714,7 +1714,8 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 				},
 			},
 		},
-		VaultToken:        helper.StringToPtr("token"),
+		ConsulToken:       helper.StringToPtr("abc123"),
+		VaultToken:        helper.StringToPtr("def456"),
 		Status:            helper.StringToPtr("status"),
 		StatusDescription: helper.StringToPtr("status_desc"),
 		Version:           helper.Uint64ToPtr(10),
@@ -2060,7 +2061,8 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 			},
 		},
 
-		VaultToken: "token",
+		ConsulToken: "abc123",
+		VaultToken:  "def456",
 	}
 
 	structsJob := ApiJobToStructJob(apiJob)

command/agent/testdata/basic.hcl

@@ -174,6 +174,7 @@ consul {
   client_service_name    = "nomad-client"
   client_http_check_name = "nomad-client-http-health-check"
   address                = "127.0.0.1:9500"
+  allow_unauthenticated  = true
   token                  = "token1"
   auth                   = "username:pass"
   ssl                    = true

command/agent/testdata/basic.json

@@ -111,6 +111,7 @@
   "consul": [
     {
       "address": "127.0.0.1:9500",
+      "allow_unauthenticated": true,
       "auth": "username:pass",
       "auto_advertise": true,
       "ca_file": "/path/to/ca/file",

command/job_revert.go

@@ -31,9 +31,13 @@ Revert Options:
     the evaluation ID will be printed to the screen, which can be used to
     examine the evaluation using the eval-status command.
 
+  -consul-token
+   The Consul token used to verify that the caller has access to the Service
+   Identity policies associated in the targeted version of the job.
+
   -vault-token 
    The Vault token used to verify that the caller has access to the Vault 
-   policies i the targeted version of the job.
+   policies in the targeted version of the job.
 
   -verbose
     Display full information.
@@ -72,12 +76,13 @@ func (c *JobRevertCommand) Name() string { return "job revert" }
 
 func (c *JobRevertCommand) Run(args []string) int {
 	var detach, verbose bool
-	var vaultToken string
+	var consulToken, vaultToken string
 
 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
 	flags.BoolVar(&detach, "detach", false, "")
 	flags.BoolVar(&verbose, "verbose", false, "")
+	flags.StringVar(&consulToken, "consul-token", "", "")
 	flags.StringVar(&vaultToken, "vault-token", "", "")
 
 	if err := flags.Parse(args); err != nil {
@@ -105,6 +110,12 @@ func (c *JobRevertCommand) Run(args []string) int {
 		return 1
 	}
 
+	// Parse the Consul token
+	if consulToken == "" {
+		// Check the environment variable
+		consulToken = os.Getenv("CONSUL_TOKEN")
+	}
+
 	// Parse the Vault token
 	if vaultToken == "" {
 		// Check the environment variable
@@ -138,7 +149,7 @@ func (c *JobRevertCommand) Run(args []string) int {
 	}
 
 	// Prefix lookup matched a single job
-	resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, vaultToken)
+	resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, consulToken, vaultToken)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error retrieving job versions: %s", err))
 		return 1