consul: consul taskrunner hook should only write tokens that belong t…

…o its task (#18635) Ref hashicorp/team-nomad#404
hashicorp · Oct 2, 2023 · 3d62438 · 3d62438
1 parent 62a0768
commit 3d62438
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-multierror"
@@ -56,6 +57,15 @@ func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest,
 	// Write tokens to tasks' secret dirs
 	for cluster, t := range tokens {
 		for identity, token := range t {
+			// do not write tokens that do not belong to any of this task's
+			// identities
+			if !slices.ContainsFunc(
+				h.task.Identities,
+				func(id *structs.WorkloadIdentity) bool { return id.Name == identity }) &&
+				identity != h.task.Identity.Name {
+				continue
+			}
+
 			filename := fmt.Sprintf("%s_%s_%s", consulTokenFilePrefix, cluster, identity)
 			tokenPath := filepath.Join(h.tokenDir, filename)
 			if err := os.WriteFile(tokenPath, []byte(token), consulTokenFilePerms); err != nil {