docs: Consul Workload Identity integration #18685
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tgross
force-pushed
the
docs-consul-workload-identity
branch
from
52041ab
to
f606552
Compare
tgross
force-pushed
the
docs-consul-workload-identity
branch
from
f606552
to
5be077f
Compare
tgross
force-pushed
the
docs-consul-workload-identity
branch
from
5be077f
to
c377e4f
Compare
tgross
force-pushed
the
docs-consul-workload-identity
branch
from
c377e4f
to
fedb510
Compare
tgross
force-pushed
the
docs-consul-workload-identity
branch
from
fedb510
to
ba0ddd1
Compare
lgfa29
approved these changes
Oct 10, 2023
|
|
||
| ```json | ||
| { | ||
| "JWKSURL": "https://nomad.example.com:4646/.well-known/jwks.json", |
There was a problem hiding this comment.
Can Consul reference internal services here? 🤔
Suggested change
| "JWKSURL": "https://nomad.example.com:4646/.well-known/jwks.json", | |
| "JWKSURL": "https://nomad.service.consul:4646/.well-known/jwks.json", |
There was a problem hiding this comment.
Probably, but I doubt Nomad's TLS cert is going to be set up for that typically?
Comment on lines
+75
to
+78
| The Nomad client will make the Consul token available to the task by writing it | ||
| to the secret directory at `secrets/consul_token` and by injecting a | ||
| `CONSUL_TOKEN` environment variable in the task. If the Nomad cluster is |
There was a problem hiding this comment.
Adding env and file to the consul block (like vault) could be a nice future work.
tgross
force-pushed
the
docs-consul-workload-identity
branch
from
ba0ddd1
to
e634fc6
Compare
mikenomitch
reviewed
Oct 16, 2023
There was a problem hiding this comment.
High level thoughts:
- Overall this is looking good! I hadn't 100% followed along with the ways that this diverged with Vault, but its really not that much harder once you configure the agent defaults. I'm excited to get this going!
- In "Using Nomad Workload Identity with Consul" on "integrations/consul-integration" we should explicitly say that you no longer will need to pass in Consul tokens on job submit. Probably also worth mentioning in the "Migrating to Using Workload Identity with Consul" category.
- Should we elevate the Workload Identity example in the agent config section to come right after the Default? Should this become the default in 1.8? In 1.9?
- Parsing error at end of docs/job-specification/consul (see the preview page, it'll be obvious) - also at "The token provided by the [-consul-token] flag" and at "Refer to [Configuring Consul Authentication][] for more details." - A few other link rendering errors too
Good call. Done.
Done. Yes, in Nomad 1.9 we'll make it the default.
Gah. Ok, I think I've fixed them all. Will re-review once the new preview is done. |
tgross
force-pushed
the
docs-consul-workload-identity
branch
from
355c76f
to
8b341e2
Compare
Documentation updates to support the new Consul integration with Nomad Workload Identity. Included: * Added a large section to the Consul integration docs to explain how to set up auth methods and binding rules (by hand, assuming we don't ship a `nomad setup-consul` tool for now), and how to safely migrate from the existing workflow to the new one. * Move `consul` block out of `group` and onto its own page now that we have it available at the `task` scope, and expanded examples of its use. * Added the `service_identity` and `task_identity` blocks to the Nomad agent configuration, and provided a recommended default. * Added the `identity` block to the `service` block page. * Added a rough compatibility matrix to the Consul integration page.
tgross
force-pushed
the
docs-consul-workload-identity
branch
from
8b341e2
to
ea93817
Compare
nvanthao
pushed a commit
to nvanthao/nomad
that referenced
this pull request
Mar 1, 2024
Documentation updates to support the new Consul integration with Nomad Workload Identity. Included: * Added a large section to the Consul integration docs to explain how to set up auth methods and binding rules (by hand, assuming we don't ship a `nomad setup-consul` tool for now), and how to safely migrate from the existing workflow to the new one. * Move `consul` block out of `group` and onto its own page now that we have it available at the `task` scope, and expanded examples of its use. * Added the `service_identity` and `task_identity` blocks to the Nomad agent configuration, and provided a recommended default. * Added the `identity` block to the `service` block page. * Added a rough compatibility matrix to the Consul integration page.
nvanthao
pushed a commit
to nvanthao/nomad
that referenced
this pull request
Mar 1, 2024
Documentation updates to support the new Consul integration with Nomad Workload Identity. Included: * Added a large section to the Consul integration docs to explain how to set up auth methods and binding rules (by hand, assuming we don't ship a `nomad setup-consul` tool for now), and how to safely migrate from the existing workflow to the new one. * Move `consul` block out of `group` and onto its own page now that we have it available at the `task` scope, and expanded examples of its use. * Added the `service_identity` and `task_identity` blocks to the Nomad agent configuration, and provided a recommended default. * Added the `identity` block to the `service` block page. * Added a rough compatibility matrix to the Consul integration page.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Documentation updates to support the new Consul integration with Nomad Workload Identity. Included:
nomad setup-consultool for now), and how to safely migrate from the existing workflow to the new one.consulblock out ofgroupand onto its own page now that we have it available at thetaskscope, and expanded examples of its use.service_identityandtask_identityblocks to the Nomad agent configuration, and provided a recommended default.identityblock to theserviceblock page.Preview links for the significant page changes (I'll try to keep these links up to date as I land changes):