Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consul integration upgrade based on Workload Identity #15618

Closed
mikenomitch opened this issue Dec 22, 2022 · 2 comments
Closed

Consul integration upgrade based on Workload Identity #15618

mikenomitch opened this issue Dec 22, 2022 · 2 comments
Assignees
@pkazmierczak @tgross
Labels
theme/consul theme/workload-identity type/enhancement
Milestone
1.7.0

Comments

@mikenomitch
Copy link
Contributor

mikenomitch commented Dec 22, 2022
edited
Loading

Proposal

Once Workload Identity upgrades make it into Nomad, we can redo the Consul integration to use these tokens as the source of auth instead of manually provided Consul tokens.

Using these tokens, Nomad Users would have a one-time set up process to integrate Nomad workloads into Consul.

The general flow for setting up the Consul-Nomad integration would be:

  • Set up Consul
    • Create a Policy for Nomad in Consul
    • Set up JWT Auth Method. As part of this setup, Consul is configured to use Nomad’s Public keys - either passing in the keys, a JWKS URL, or an OIDC Config URL
    • Create Binding Rule(s) for Consul to map Nomad workloads to Consul Roles and/or Services
  • Set up Nomad
    • Pass a Consul URL into Nomad Server config in a new configuration block
      (Note: no token needed)
  • Deploy Job
    • Job is configured to use new Consul integration
    • Nomad, recognizing that the new integration is being used, automatically requests a token for this job using the JWT auth method.

This would involve an up front cost to set up roles and binding rules in Consul, but after that no management of tokens would be needed.

Use Cases & Advantages

This would be advantageous in many ways:

  • Nomad Users would not have to manage Consul token issuing, rotation, and revocation for Nomad clients.
  • Nomad Users would not have to manage Consul tokens for each Nomad workload.
  • Workload identity tokens could be time-bound and automatically rotated
  • Workload identity tokens could provide fine-grained access at the task level
  • Workload identity tokens could be automatically removed once the task has stopped
  • Multiple Consul clusters could be configured to use the same token. This could allow Nomad to talk to multiple clusters at once and handle disaster recovery better. Failovers could happen without token rotation in Nomad.
  • Consul could be more easily deployed as a Nomad job, as client tokens/config would not be needed.
@mikenomitch mikenomitch mentioned this issue Dec 22, 2022
Closed
@mikenomitch mikenomitch moved this to 1.7 or Later in Nomad Roadmap Dec 22, 2022
@schmichael schmichael self-assigned this May 2, 2023
@sofixa
Copy link
Contributor

sofixa commented Jun 15, 2023
edited
Loading

Something to be investigated: Will the new automatic rotation fall into the same issues as current manual rotation of Consul ACL tokens: hashicorp/consul#4372 (comment) , where after the ACL token has been rotated Nomad is unable to update the services which were registered by this token.

@tgross tgross mentioned this issue Jun 21, 2023
Closed
@tgross tgross mentioned this issue Jul 7, 2023
Closed
@tgross tgross assigned tgross and unassigned schmichael Aug 2, 2023
@tgross tgross added this to the 1.7.0 milestone Aug 17, 2023
@mikenomitch mikenomitch moved this from Later release shortlist (uncommitted) to 1.7 - Beta (ETA mid-Oct) in Nomad Roadmap Aug 17, 2023
This was referenced Sep 21, 2023
Merged
Merged
tgross added a commit that referenced this issue Oct 25, 2023
@tgross
add deprecation warning for Vault/Consul token usage
734309e 
Submitting a Consul or Vault token with a job is deprecated in Nomad 1.7 and
intended for removal in Nomad 1.9. Add a deprecation warning to the CLI when the
user passes in the appropriate flag or environment variable.

Nomad agents will no longer need a Vault token when configured with workload
identity, and we'll ignore Vault tokens in the agent config after Nomad 1.9. Log
a warning at agent startup.

Ref: #15617
Ref: #15618
@tgross tgross mentioned this issue Oct 25, 2023
Merged
tgross added a commit that referenced this issue Oct 26, 2023
@tgross
add deprecation warning for Vault/Consul token usage (#18863)
8f8265f 
Submitting a Consul or Vault token with a job is deprecated in Nomad 1.7 and
intended for removal in Nomad 1.9. Add a deprecation warning to the CLI when the
user passes in the appropriate flag or environment variable.

Nomad agents will no longer need a Vault token when configured with workload
identity, and we'll ignore Vault tokens in the agent config after Nomad 1.9. Log
a warning at agent startup.

Ref: #15617
Ref: #15618
@schmichael schmichael mentioned this issue Oct 31, 2023
Merged
@tgross
Copy link
Member

tgross commented Nov 1, 2023

Shipped in Nomad 1.7.0-beta.1

@tgross tgross closed this as completed Nov 1, 2023
@github-project-automation github-project-automation bot moved this from 1.7 - Beta (ETA October 31) to 1.9 & 1.10 Shortlist (uncommitted) in Nomad Roadmap Nov 1, 2023
@mikenomitch mikenomitch moved this from 1.9 & 1.10 Shortlist (uncommitted) to 1.7 - Beta (ETA October 31) in Nomad Roadmap Nov 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkazmierczak pkazmierczak

@tgross tgross

Labels
theme/consul theme/workload-identity type/enhancement
Projects
None yet
Milestone
1.7.0
Development

No branches or pull requests
5 participants
@schmichael @pkazmierczak @tgross @mikenomitch @sofixa