Closed krzysztof-bronk closed 4 years ago
There aren't any plans as of yet, but this sounds like something we'd potentially be interested in. TBH I haven't used those before, but from the looks of it it seems very similar to vault tokens/policies (not a big surprise, since they are both hashicorp). My question would be what scope would katalog-sync be responsible for here -- sounds like you'd want to define a session token as part of the annotation? If so that should be a very simple addition.
Basically when ACLs are enabled, you have to supply a token to each Consul API call, and that token has to map to a policy that allows you perform the requested action. So when katalog-sync calls Consul to register a service for example, you'd have to supply a token to that call. How you obtain it is up to the implementation I suppose, usually it's either an environment variable or additionally (in line with katalog-sync) an annotation on the pod. Of course you can have very strict policies and require different tokens for different API calls... but one is good for a start
@krzysztof-bronk have you tried the environment variables:
CONSUL_HTTP_TOKEN
this is something i'm interested into as well. the client library should pick it up... https://github.com/hashicorp/consul/blob/master/api/api.go#L382
If it is just an env var (as @ltagliamonte-dd is pointing out) then the env vars should work (we use them to set the consul endpoint etc.).
i just finished my test integration and i can confirm that it works, i'm able to use TLS and acls token.
OFF_TOPIC: @jacksontj do you think someone from your team is going to work on this https://github.com/wish/katalog-sync/issues/32 ?
Sounds like we're all set here (as its just an env var), so going to close out.
Hello,
I have not found any parameters or settings that would allow for specifying ACL tokens for registering the service. Is there a plan to add it?