ACLs

[krzysztof-bronk]

Hello,

I have not found any parameters or settings that would allow for specifying ACL tokens for registering the service. Is there a plan to add it?

[jacksontj]

There aren't any plans as of yet, but this sounds like something we'd potentially be interested in. TBH I haven't used those before, but from the looks of it it seems very similar to vault tokens/policies (not a big surprise, since they are both hashicorp). My question would be what scope would katalog-sync be responsible for here -- sounds like you'd want to define a session token as part of the annotation? If so that should be a very simple addition.

[krzysztof-bronk]

Basically when ACLs are enabled, you have to supply a token to each Consul API call, and that token has to map to a policy that allows you perform the requested action. So when katalog-sync calls Consul to register a service for example, you'd have to supply a token to that call. How you obtain it is up to the implementation I suppose, usually it's either an environment variable or additionally (in line with katalog-sync) an annotation on the pod. Of course you can have very strict policies and require different tokens for different API calls... but one is good for a start

[ltagliamonte-dd]

@krzysztof-bronk have you tried the environment variables:

CONSUL_HTTP_TOKEN

this is something i'm interested into as well. the client library should pick it up... https://github.com/hashicorp/consul/blob/master/api/api.go#L382

[jacksontj]

If it is just an env var (as @ltagliamonte-dd is pointing out) then the env vars should work (we use them to set the consul endpoint etc.).

[ltagliamonte-dd]

i just finished my test integration and i can confirm that it works, i'm able to use TLS and acls token.

OFF_TOPIC: @jacksontj do you think someone from your team is going to work on this https://github.com/wish/katalog-sync/issues/32 ?

[jacksontj]

Sounds like we're all set here (as its just an env var), so going to close out.