consul: only fetch Consul tokens for Consul-specific identities

Only the workload identities signed specifically for Consul, named `consul_$clusterName` or specific to a service, should result in authenticating to Consul to get tokens.
hashicorp · Oct 3, 2023 · a3f4ad0 · a3f4ad0
1 parent e7136f8
commit a3f4ad0
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 29 deletions.
diff --git a/client/allocrunner/consul_hook.go b/client/allocrunner/consul_hook.go
@@ -102,36 +102,12 @@ func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs.
 		return nil
 	}
 
-	// default identity
-	ti := widmgr.TaskIdentity{
-		TaskName:     task.Name,
-		IdentityName: task.Identity.Name,
-	}
-
-	req, err := h.prepareConsulClientReq(ti, consulTasksAuthMethodName)
-	if err != nil {
-		return err
-	}
-
-	jwt, err := h.widmgr.Get(ti)
-	if err != nil {
-		h.logger.Error("error getting signed identity", "error", err)
-		return err
-	}
-
-	req[task.Identity.Name] = consul.JWTLoginRequest{
-		JWT:            jwt.JWT,
-		AuthMethodName: consulTasksAuthMethodName,
-	}
-
-	// FIXME Fetch from Task.Consul.Cluster once #18557 is in
-	if err := h.getConsulTokens(structs.ConsulDefaultCluster, task.Identity.Name, tokens, req); err != nil {
-		return err
-	}
-
-	// alt identities
+	// get tokens for alt identities for Consul
 	mErr := multierror.Error{}
 	for _, i := range task.Identities {
+		if i.Name != fmt.Sprintf("consul_%s", consulConfig.Name) {
+			continue
+		}
 		ti := widmgr.TaskIdentity{
 			TaskName:     task.Name,
 			IdentityName: i.Name,

diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go
@@ -46,7 +46,7 @@ func newConsulHook(logger log.Logger, tr *TaskRunner, hookResources *cstructs.Al
 }
 
 func (*consulHook) Name() string {
-	return "consul"
+	return "consul_task"
 }
 
 func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest, *interfaces.TaskPrestartResponse) error {