search

sous-chefs / consul

Development repository for the consul cookbook
https://supermarket.chef.io/cookbooks/consul
Apache License 2.0
192 stars 244 forks source link

Consul 1.5.x ACLs #521

Closed scalp42 closed 4 years ago

scalp42 commented 5 years ago

Description

Add 3 new resources:

Issues Resolved

520

scalp42 commented 5 years ago

It doesn't seem doable until https://github.com/hashicorp/consul/issues/4977 ships.

scalp42 commented 5 years ago

Going to resume work once https://github.com/WeAreFarmGeek/diplomat/pull/196 is merged as Consul 1.5.0 re-allows custom AccessorID and SecretID (still require valid UUIDs though).

scalp42 commented 5 years ago

One of the issues when updating ACL tokens and comparing policies is that Consul endpoint returns both policy ID and Name and we only use the later to compare.

So I decided to always update the policies attached to token as we're passing the policy name only.

kitchen-porter commented 5 years ago
1 Error
:no_entry_sign: Please include a CHANGELOG entry.
2 Warnings
:warning: This is a big Pull Request.
:warning: This Pull Request is probably missing tests.

Generated by :no_entry_sign: Danger

freakinhippie commented 4 years ago

Is this still a WIP or has it been completed and is waiting to be merged?

scalp42 commented 4 years ago

Not worth much but we've been using it in production since then.

karlbaillie commented 4 years ago

Not worth much but we've been using it in production since then.

Are you just being held up by process here? Is there anything I can do to help?

Keen to see this PR get merged as we've been pushed to upgrade consul before Chef was able to manage the ACL's.

scalp42 commented 4 years ago

I think it's linting rules blocking this PR (I don't have the best setup currently to run Rubocop).

Changelog should be handled by the person bumping the cookbook I believe.

Regarding tests, ours is tested through InSpec and kitchen instead of unit testing which we like more.

Otherwise, running in production with seperated consul_policy and consul_token:

  # NOTE: set the anonymous token & policy if ACLs are enabled,
  # mainly used for DNS requests as you can't pass a token
  consul_policy 'anonymous' do
    description 'Anynomous policy'
    auth_token(node[cookbook_name]['acl']['tokens']['master'])
    rules <<-HCL.gsub(/^\s{4}/, '')
      node_prefix "" {
        policy = "read"
      }
      service_prefix "" {
        policy = "read"
      }
      operator = "read"
    HCL
    action :create
    retries 5
    retry_delay 5
    only_if do
      ::HTTParty.get(
        "http://localhost:#{node[cookbook_name]['config']['ports']['http']}/v1/acl/list",
        headers: { 'X-Consul-Token' => node[cookbook_name]['acl']['tokens']['master'] }
      ).code == 200
    end
    ignore_failure false
    sensitive true
  end

  consul_token 'Anonymous Token' do
    policies ['anonymous']
    auth_token(node[cookbook_name]['acl']['tokens']['master'])
    action :create
    retries 5
    retry_delay 10
    only_if do
      ::HTTParty.get(
        "http://localhost:#{node[cookbook_name]['config']['ports']['http']}/v1/acl/list",
        headers: { 'X-Consul-Token' => node[cookbook_name]['acl']['tokens']['master'] }
      ).code == 200
    end
    ignore_failure false
    sensitive true
  end

If you don't like the inline HCL rules:

chef_gem 'rhcl' do
  compile_time true
end

hcl_rules = {
  'node' => {
    node[cookbook_name]['config']['node_name'] => {
      'policy' => 'write'
    }
  }
}

consul_policy 'test' do
  rules ::Rhcl.dump(base)
end

Cheers!

tas50 commented 4 years ago

Thanks @scalp42