command, docs: create and document consul token configuration for con…

…nect acls (gh-6716)

This change provides an initial pass at setting up the configuration necessary to
enable use of Connect with Consul ACLs. Operators will be able to pass in a Consul
Token through `-consul-token` or `$CONSUL_TOKEN` in the `job run` and `job revert`
commands (similar to Vault tokens).

These values are not actually used yet in this changeset.

api/jobs.go

@@ -336,14 +336,15 @@ func (j *Jobs) Dispatch(jobID string, meta map[string]string,
 // enforceVersion is set, the job is only reverted if the current version is at
 // the passed version.
 func (j *Jobs) Revert(jobID string, version uint64, enforcePriorVersion *uint64,
-	q *WriteOptions, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) {
+	q *WriteOptions, consulToken, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) {
 
 	var resp JobRegisterResponse
 	req := &JobRevertRequest{
 		JobID:               jobID,
 		JobVersion:          version,
 		EnforcePriorVersion: enforcePriorVersion,
-		VaultToken:          vaultToken,
+		// ConsulToken:         consulToken, // TODO(shoenig) enable!
+		VaultToken: vaultToken,
 	}
 	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/revert", req, &resp, q)
 	if err != nil {
@@ -670,6 +671,7 @@ type Job struct {
 	Reschedule        *ReschedulePolicy
 	Migrate           *MigrateStrategy
 	Meta              map[string]string
+	ConsulToken       *string `mapstructure:"consul_token"`
 	VaultToken        *string `mapstructure:"vault_token"`
 	Status            *string
 	StatusDescription *string
@@ -722,6 +724,9 @@ func (j *Job) Canonicalize() {
 	if j.AllAtOnce == nil {
 		j.AllAtOnce = boolToPtr(false)
 	}
+	if j.ConsulToken == nil {
+		j.ConsulToken = stringToPtr("")
+	}
 	if j.VaultToken == nil {
 		j.VaultToken = stringToPtr("")
 	}
@@ -966,6 +971,12 @@ type JobRevertRequest struct {
 	// version before reverting.
 	EnforcePriorVersion *uint64
 
+	// ConsulToken is the Consul token that proves the submitter of the job revert
+	// has access to the Service Identity policies associated with the job's
+	// Consul Connect enabled services. This field is only used to transfer the
+	// token and is not stored after the Job revert.
+	ConsulToken string `json:",omitempty"`
+
 	// VaultToken is the Vault token that proves the submitter of the job revert
 	// has access to any Vault policies specified in the targeted job version. This
 	// field is only used to authorize the revert and is not stored after the Job

command/agent/command.go

@@ -155,6 +155,10 @@ func (c *Command) readConfig() *Config {
 		return nil
 	}), "consul-verify-ssl", "")
 	flags.StringVar(&cmdConfig.Consul.Addr, "consul-address", "", "")
+	flags.Var((flaghelper.FuncBoolVar)(func(b bool) error {
+		cmdConfig.Consul.AllowUnauthenticated = &b
+		return nil
+	}), "consul-allow-unauthenticated", "")
 
 	// Vault options
 	flags.Var((flaghelper.FuncBoolVar)(func(b bool) error {

command/agent/config_parse_test.go

@@ -151,25 +151,26 @@ var basicConfig = &Config{
 	DisableUpdateCheck:        helper.BoolToPtr(true),
 	DisableAnonymousSignature: true,
 	Consul: &config.ConsulConfig{
-		ServerServiceName:   "nomad",
-		ServerHTTPCheckName: "nomad-server-http-health-check",
-		ServerSerfCheckName: "nomad-server-serf-health-check",
-		ServerRPCCheckName:  "nomad-server-rpc-health-check",
-		ClientServiceName:   "nomad-client",
-		ClientHTTPCheckName: "nomad-client-http-health-check",
-		Addr:                "127.0.0.1:9500",
-		Token:               "token1",
-		Auth:                "username:pass",
-		EnableSSL:           &trueValue,
-		VerifySSL:           &trueValue,
-		CAFile:              "/path/to/ca/file",
-		CertFile:            "/path/to/cert/file",
-		KeyFile:             "/path/to/key/file",
-		ServerAutoJoin:      &trueValue,
-		ClientAutoJoin:      &trueValue,
-		AutoAdvertise:       &trueValue,
-		ChecksUseAdvertise:  &trueValue,
-		Timeout:             5 * time.Second,
+		ServerServiceName:    "nomad",
+		ServerHTTPCheckName:  "nomad-server-http-health-check",
+		ServerSerfCheckName:  "nomad-server-serf-health-check",
+		ServerRPCCheckName:   "nomad-server-rpc-health-check",
+		ClientServiceName:    "nomad-client",
+		ClientHTTPCheckName:  "nomad-client-http-health-check",
+		Addr:                 "127.0.0.1:9500",
+		AllowUnauthenticated: &trueValue,
+		Token:                "token1",
+		Auth:                 "username:pass",
+		EnableSSL:            &trueValue,
+		VerifySSL:            &trueValue,
+		CAFile:               "/path/to/ca/file",
+		CertFile:             "/path/to/cert/file",
+		KeyFile:              "/path/to/key/file",
+		ServerAutoJoin:       &trueValue,
+		ClientAutoJoin:       &trueValue,
+		AutoAdvertise:        &trueValue,
+		ChecksUseAdvertise:   &trueValue,
+		Timeout:              5 * time.Second,
 	},
 	Vault: &config.VaultConfig{
 		Addr:                 "127.0.0.1:9500",

command/agent/job_endpoint.go

@@ -633,6 +633,7 @@ func ApiJobToStructJob(job *api.Job) *structs.Job {
 		Datacenters: job.Datacenters,
 		Payload:     job.Payload,
 		Meta:        job.Meta,
+		ConsulToken: *job.ConsulToken,
 		VaultToken:  *job.VaultToken,
 		Constraints: ApiConstraintsToStructs(job.Constraints),
 		Affinities:  ApiAffinitiesToStructs(job.Affinities),

command/agent/job_endpoint_test.go

@@ -1714,7 +1714,8 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 				},
 			},
 		},
-		VaultToken:        helper.StringToPtr("token"),
+		ConsulToken:       helper.StringToPtr("abc123"),
+		VaultToken:        helper.StringToPtr("def456"),
 		Status:            helper.StringToPtr("status"),
 		StatusDescription: helper.StringToPtr("status_desc"),
 		Version:           helper.Uint64ToPtr(10),
@@ -2060,7 +2061,8 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 			},
 		},
 
-		VaultToken: "token",
+		ConsulToken: "abc123",
+		VaultToken:  "def456",
 	}
 
 	structsJob := ApiJobToStructJob(apiJob)

command/agent/testdata/basic.hcl

@@ -174,6 +174,7 @@ consul {
   client_service_name    = "nomad-client"
   client_http_check_name = "nomad-client-http-health-check"
   address                = "127.0.0.1:9500"
+  allow_unauthenticated  = true
   token                  = "token1"
   auth                   = "username:pass"
   ssl                    = true

command/agent/testdata/basic.json

@@ -111,6 +111,7 @@
   "consul": [
     {
       "address": "127.0.0.1:9500",
+      "allow_unauthenticated": true,
       "auth": "username:pass",
       "auto_advertise": true,
       "ca_file": "/path/to/ca/file",

command/job_revert.go

@@ -31,9 +31,13 @@ Revert Options:
     the evaluation ID will be printed to the screen, which can be used to
     examine the evaluation using the eval-status command.
 
+  -consul-token
+   The Consul token used to verify that the caller has access to the Service
+   Identity policies associated in the targeted version of the job.
+
   -vault-token 
    The Vault token used to verify that the caller has access to the Vault 
-   policies i the targeted version of the job.
+   policies in the targeted version of the job.
 
   -verbose
     Display full information.
@@ -72,12 +76,13 @@ func (c *JobRevertCommand) Name() string { return "job revert" }
 
 func (c *JobRevertCommand) Run(args []string) int {
 	var detach, verbose bool
-	var vaultToken string
+	var consulToken, vaultToken string
 
 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
 	flags.BoolVar(&detach, "detach", false, "")
 	flags.BoolVar(&verbose, "verbose", false, "")
+	flags.StringVar(&consulToken, "consul-token", "", "")
 	flags.StringVar(&vaultToken, "vault-token", "", "")
 
 	if err := flags.Parse(args); err != nil {
@@ -105,6 +110,12 @@ func (c *JobRevertCommand) Run(args []string) int {
 		return 1
 	}
 
+	// Parse the Consul token
+	if consulToken == "" {
+		// Check the environment variable
+		consulToken = os.Getenv("CONSUL_TOKEN")
+	}
+
 	// Parse the Vault token
 	if vaultToken == "" {
 		// Check the environment variable
@@ -138,7 +149,7 @@ func (c *JobRevertCommand) Run(args []string) int {
 	}
 
 	// Prefix lookup matched a single job
-	resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, vaultToken)
+	resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, consulToken, vaultToken)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error retrieving job versions: %s", err))
 		return 1

command/job_run.go

@@ -52,6 +52,10 @@ Alias: nomad run
   If the job has specified the region, the -region flag and NOMAD_REGION
   environment variable are overridden and the job's region is used.
 
+  The run command will set the consul_token of the job based on the following
+  precedence, going from highest to lowest: the -consul-token flag, the
+  $CONSUL_TOKEN environment variable and finally the value in the job file.
+
   The run command will set the vault_token of the job based on the following
   precedence, going from highest to lowest: the -vault-token flag, the
   $VAULT_TOKEN environment variable and finally the value in the job file.
@@ -82,6 +86,12 @@ Run Options:
   -policy-override
     Sets the flag to force override any soft mandatory Sentinel policies.
 
+  -consul-token
+    If set, the passed Consul token is stored in the job before sending to the
+    Nomad servers. This allows passing the Consul token without storing it in
+    the job file. This overrides the token found in $CONSUL_TOKEN environment
+    variable and that found in the job.
+
   -vault-token
     If set, the passed Vault token is stored in the job before sending to the
     Nomad servers. This allows passing the Vault token without storing it in
@@ -118,7 +128,7 @@ func (c *JobRunCommand) Name() string { return "job run" }
 
 func (c *JobRunCommand) Run(args []string) int {
 	var detach, verbose, output, override bool
-	var checkIndexStr, vaultToken string
+	var checkIndexStr, consulToken, vaultToken string
 
 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
@@ -127,6 +137,7 @@ func (c *JobRunCommand) Run(args []string) int {
 	flags.BoolVar(&output, "output", false, "")
 	flags.BoolVar(&override, "policy-override", false, "")
 	flags.StringVar(&checkIndexStr, "check-index", "", "")
+	flags.StringVar(&consulToken, "consul-token", "", "")
 	flags.StringVar(&vaultToken, "vault-token", "", "")
 
 	if err := flags.Parse(args); err != nil {
@@ -175,6 +186,16 @@ func (c *JobRunCommand) Run(args []string) int {
 	periodic := job.IsPeriodic()
 	paramjob := job.IsParameterized()
 
+	// Parse the Consul token
+	if consulToken == "" {
+		// Check the environment variable
+		consulToken = os.Getenv("CONSUL_TOKEN")
+	}
+
+	if consulToken != "" {
+		job.ConsulToken = helper.StringToPtr(consulToken)
+	}
+
 	// Parse the Vault token
 	if vaultToken == "" {
 		// Check the environment variable

jobspec/parse_job.go

@@ -79,6 +79,7 @@ func parseJob(result *api.Job, list *ast.ObjectList) error {
 		"update",
 		"vault",
 		"vault_token",
+		"consul_token",
 	}
 	if err := helper.CheckHCLKeys(listVal, valid); err != nil {
 		return multierror.Prefix(err, "job:")

jobspec/parse_test.go

@@ -31,6 +31,7 @@ func TestParse(t *testing.T) {
 				Datacenters: []string{"us2", "eu1"},
 				Region:      helper.StringToPtr("fooregion"),
 				Namespace:   helper.StringToPtr("foonamespace"),
+				ConsulToken: helper.StringToPtr("abc"),
 				VaultToken:  helper.StringToPtr("foo"),
 
 				Meta: map[string]string{

jobspec/test-fixtures/bad-ports.hcl

@@ -4,6 +4,7 @@ job "binstore-storagelocker" {
   priority    = 50
   all_at_once = true
   datacenters = ["us2", "eu1"]
+  consul_token = "abc"
   vault_token = "foo"
 
   meta {

jobspec/test-fixtures/basic.hcl

@@ -5,6 +5,7 @@ job "binstore-storagelocker" {
   priority    = 52
   all_at_once = true
   datacenters = ["us2", "eu1"]
+  consul_token = "abc"
   vault_token = "foo"
 
   meta {

jobspec/test-fixtures/basic_wrong_key.hcl

@@ -4,6 +4,7 @@ job "binstore-storagelocker" {
   priority    = 50
   all_at_once = true
   datacenters = ["us2", "eu1"]
+  consul_token = "abc"
   vault_token = "foo"
 
   meta {

jobspec/test-fixtures/incorrect-service-def.hcl

@@ -4,6 +4,7 @@ job "binstore-storagelocker" {
   priority    = 50
   all_at_once = true
   datacenters = ["us2", "eu1"]
+  consul_token = "abc"
   vault_token = "foo"
 
   meta {

jobspec/test-fixtures/overlapping-ports.hcl

@@ -4,6 +4,7 @@ job "binstore-storagelocker" {
   priority    = 50
   all_at_once = true
   datacenters = ["us2", "eu1"]
+  consul_token = "abc"
   vault_token = "foo"
 
   meta {

nomad/structs/config/consul.go

@@ -72,6 +72,11 @@ type ConsulConfig struct {
 	// the agent's default token
 	Token string `hcl:"token"`
 
+	// AllowUnauthenticated allows users to submit jobs requiring Consul
+	// Service Identity tokens without providing a Consul token proving they
+	// have access to such policies.
+	AllowUnauthenticated *bool `hcl:"allow_unauthenticated"`
+
 	// Auth is the information to use for http access to Consul agent
 	Auth string `hcl:"auth"`
 
@@ -115,17 +120,18 @@ type ConsulConfig struct {
 func DefaultConsulConfig() *ConsulConfig {
 	def := consul.DefaultConfig()
 	return &ConsulConfig{
-		ServerServiceName:   "nomad",
-		ServerHTTPCheckName: "Nomad Server HTTP Check",
-		ServerSerfCheckName: "Nomad Server Serf Check",
-		ServerRPCCheckName:  "Nomad Server RPC Check",
-		ClientServiceName:   "nomad-client",
-		ClientHTTPCheckName: "Nomad Client HTTP Check",
-		AutoAdvertise:       helper.BoolToPtr(true),
-		ChecksUseAdvertise:  helper.BoolToPtr(false),
-		ServerAutoJoin:      helper.BoolToPtr(true),
-		ClientAutoJoin:      helper.BoolToPtr(true),
-		Timeout:             5 * time.Second,
+		ServerServiceName:    "nomad",
+		ServerHTTPCheckName:  "Nomad Server HTTP Check",
+		ServerSerfCheckName:  "Nomad Server Serf Check",
+		ServerRPCCheckName:   "Nomad Server RPC Check",
+		ClientServiceName:    "nomad-client",
+		ClientHTTPCheckName:  "Nomad Client HTTP Check",
+		AutoAdvertise:        helper.BoolToPtr(true),
+		ChecksUseAdvertise:   helper.BoolToPtr(false),
+		ServerAutoJoin:       helper.BoolToPtr(true),
+		ClientAutoJoin:       helper.BoolToPtr(true),
+		AllowUnauthenticated: helper.BoolToPtr(true),
+		Timeout:              5 * time.Second,
 
 		// From Consul api package defaults
 		Addr:      def.Address,
@@ -135,6 +141,12 @@ func DefaultConsulConfig() *ConsulConfig {
 	}
 }
 
+// AllowsUnauthenticated returns whether the config allows unauthenticated
+// creation of Consul Service Identity tokens for Consul Connect enabled Tasks.
+func (a *ConsulConfig) AllowsUnauthenticated() bool {
+	return a.AllowUnauthenticated != nil && *a.AllowUnauthenticated
+}
+
 // Merge merges two Consul Configurations together.
 func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig {
 	result := a.Copy()
@@ -203,6 +215,9 @@ func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig {
 	if b.ChecksUseAdvertise != nil {
 		result.ChecksUseAdvertise = helper.BoolToPtr(*b.ChecksUseAdvertise)
 	}
+	if b.AllowUnauthenticated != nil {
+		result.AllowUnauthenticated = helper.BoolToPtr(*b.AllowUnauthenticated)
+	}
 	return result
 }
 
@@ -289,6 +304,9 @@ func (c *ConsulConfig) Copy() *ConsulConfig {
 	if nc.ClientAutoJoin != nil {
 		nc.ClientAutoJoin = helper.BoolToPtr(*nc.ClientAutoJoin)
 	}
+	if nc.AllowUnauthenticated != nil {
+		nc.AllowUnauthenticated = helper.BoolToPtr(*nc.AllowUnauthenticated)
+	}
 
 	return nc
 }