Closed scalp42 closed 4 years ago
It doesn't seem doable until https://github.com/hashicorp/consul/issues/4977 ships.
Going to resume work once https://github.com/WeAreFarmGeek/diplomat/pull/196 is merged as Consul 1.5.0 re-allows custom AccessorID
and SecretID
(still require valid UUIDs though).
One of the issues when updating ACL tokens and comparing policies is that Consul endpoint returns both policy ID
and Name
and we only use the later to compare.
So I decided to always update the policies attached to token as we're passing the policy name only.
1 Error | |
---|---|
:no_entry_sign: | Please include a CHANGELOG entry. |
2 Warnings | |
---|---|
:warning: | This is a big Pull Request. |
:warning: | This Pull Request is probably missing tests. |
Generated by :no_entry_sign: Danger
Is this still a WIP or has it been completed and is waiting to be merged?
Not worth much but we've been using it in production since then.
Not worth much but we've been using it in production since then.
Are you just being held up by process here? Is there anything I can do to help?
Keen to see this PR get merged as we've been pushed to upgrade consul before Chef was able to manage the ACL's.
I think it's linting rules blocking this PR (I don't have the best setup currently to run Rubocop).
Changelog should be handled by the person bumping the cookbook I believe.
Regarding tests, ours is tested through InSpec and kitchen instead of unit testing which we like more.
Otherwise, running in production with seperated consul_policy
and consul_token
:
# NOTE: set the anonymous token & policy if ACLs are enabled,
# mainly used for DNS requests as you can't pass a token
consul_policy 'anonymous' do
description 'Anynomous policy'
auth_token(node[cookbook_name]['acl']['tokens']['master'])
rules <<-HCL.gsub(/^\s{4}/, '')
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
operator = "read"
HCL
action :create
retries 5
retry_delay 5
only_if do
::HTTParty.get(
"http://localhost:#{node[cookbook_name]['config']['ports']['http']}/v1/acl/list",
headers: { 'X-Consul-Token' => node[cookbook_name]['acl']['tokens']['master'] }
).code == 200
end
ignore_failure false
sensitive true
end
consul_token 'Anonymous Token' do
policies ['anonymous']
auth_token(node[cookbook_name]['acl']['tokens']['master'])
action :create
retries 5
retry_delay 10
only_if do
::HTTParty.get(
"http://localhost:#{node[cookbook_name]['config']['ports']['http']}/v1/acl/list",
headers: { 'X-Consul-Token' => node[cookbook_name]['acl']['tokens']['master'] }
).code == 200
end
ignore_failure false
sensitive true
end
If you don't like the inline HCL rules:
chef_gem 'rhcl' do
compile_time true
end
hcl_rules = {
'node' => {
node[cookbook_name]['config']['node_name'] => {
'policy' => 'write'
}
}
}
consul_policy 'test' do
rules ::Rhcl.dump(base)
end
Cheers!
Thanks @scalp42
Description
Add 3 new resources:
consul_token
consul_policy
consul_role
Issues Resolved
520