From 3d624388765f895a020d20a9767f2dced0b108c7 Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Mon, 2 Oct 2023 19:49:02 +0200 Subject: [PATCH] consul: consul taskrunner hook should only write tokens that belong to its task (#18635) Ref hashicorp/team-nomad#404 --- client/allocrunner/taskrunner/consul_hook.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go index 64e3561109b..3a5159ae9ca 100644 --- a/client/allocrunner/taskrunner/consul_hook.go +++ b/client/allocrunner/taskrunner/consul_hook.go @@ -8,6 +8,7 @@ import ( "fmt" "os" "path/filepath" + "slices" log "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-multierror" @@ -56,6 +57,15 @@ func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest, // Write tokens to tasks' secret dirs for cluster, t := range tokens { for identity, token := range t { + // do not write tokens that do not belong to any of this task's + // identities + if !slices.ContainsFunc( + h.task.Identities, + func(id *structs.WorkloadIdentity) bool { return id.Name == identity }) && + identity != h.task.Identity.Name { + continue + } + filename := fmt.Sprintf("%s_%s_%s", consulTokenFilePrefix, cluster, identity) tokenPath := filepath.Join(h.tokenDir, filename) if err := os.WriteFile(tokenPath, []byte(token), consulTokenFilePerms); err != nil {