rework to use Workload Identity #5
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
After testing in a fresh environment, I found a number of steps that don't work, are out of order, or have undesireable effects. This changeset represents a minimum amount of updates just to get this all working without improving the workflow more generally. This includes: * Bootstrap Consul ACLs after configuring the Consul environment variables, so that we can connect to the Consul agent we're trying to configure. * Run `nomad` with the `-dev-connect` flag so that the API GW is listening on a non-localhost address. * Make it clear the certs used for the Nomad CLI are the ones named "server". * Update the Docker build step so that in the default local development case we're building an image that Nomad will not try to download. * Add the missing Consul gRPC and HTTP address to the values we write to Nomad Variables, and make the name of the Consul CA variable consistent with Consul's use. * Explain where to find the API GW address and port. * Remove incorrect references to env vars from the Nomad agent config. * Make the `tls.cert_file` and `tls.key_file` path match the names of the files we create. * Ensure we don't commit certificates by adding them to `.gitignore` Additional PRs will follow on this repo to resolve #2 and #3.
tgross
requested review from
gulducat,
Juanadelacuesta,
angrycub,
shoenig and
kkavish
david-yu
reviewed
May 2, 2024
Heavily revise the repo to use Nomad's Workload Identity. From a high-level perspective, we use WI to authorize the gateway job to gateway job to correctly register itself with Consul. The API Gateway is deployed in its own Nomad namespace. You'll add a Consul ACL role that the Consul binding rule matches for that Nomad namespace. And then that Consul ACL role grants the appropriate permissions to the API Gateway. This also refactors the repo to split out the setup of the agents from the API GW setup, because a user may have a running cluster already either for production purposes or one they stood up using the tutorial for Nomad and Consul Workload Identity. Fixes: #2 Fixes: #3
jrasell
approved these changes
May 7, 2024
Co-authored-by: James Rasell <[email protected]>
david-yu
approved these changes
May 7, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Heavily revise the repo to use Nomad's Workload Identity. From a high-level perspective, we use WI to authorize a Consul task to bootstrap Envoy and correctly register it with Consul. The API Gateway is deployed in its own Nomad namespace. We add a Consul ACL role that the Consul binding rule matches for that Nomad namespace. And then that Consul ACL role grants the appropriate permissions to the API Gateway.
This also refactors the repo to split out the setup of the agents from the API GW deployment, because a user may have a running cluster already either for production purposes or one they stood up using the tutorial for Nomad and Consul Workload Identity.
Fixes: #2
Fixes: #3
Notes to reviewers:
This currently includes the contents of minimal updates to get working end-to-end #4. We can either review that separately or just close that PR out. Either way is fine by me.ClosedTo run this exactly, we need two minor PRs to land in Nomad to ensure we're setting the correct env var for the task and that the(Both shipped in beta)nomad setup consulcommand has a convenience flag.-jwks-ca-fileto Vault/Consul setup commands hashicorp/nomad#20518CONSUL_HTTP_TOKENenv var to tasks hashicorp/nomad#20519<details>block.