From a3f4ad0130d2716ca0d646fac64f843622cc70e0 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Tue, 3 Oct 2023 15:53:00 -0400 Subject: [PATCH] consul: only fetch Consul tokens for Consul-specific identities Only the workload identities signed specifically for Consul, named `consul_$clusterName` or specific to a service, should result in authenticating to Consul to get tokens. --- client/allocrunner/consul_hook.go | 32 +++----------------- client/allocrunner/taskrunner/consul_hook.go | 2 +- 2 files changed, 5 insertions(+), 29 deletions(-) diff --git a/client/allocrunner/consul_hook.go b/client/allocrunner/consul_hook.go index e289b723fd3..771b8300e63 100644 --- a/client/allocrunner/consul_hook.go +++ b/client/allocrunner/consul_hook.go @@ -102,36 +102,12 @@ func (h *consulHook) prepareConsulTokensForTask(job *structs.Job, task *structs. return nil } - // default identity - ti := widmgr.TaskIdentity{ - TaskName: task.Name, - IdentityName: task.Identity.Name, - } - - req, err := h.prepareConsulClientReq(ti, consulTasksAuthMethodName) - if err != nil { - return err - } - - jwt, err := h.widmgr.Get(ti) - if err != nil { - h.logger.Error("error getting signed identity", "error", err) - return err - } - - req[task.Identity.Name] = consul.JWTLoginRequest{ - JWT: jwt.JWT, - AuthMethodName: consulTasksAuthMethodName, - } - - // FIXME Fetch from Task.Consul.Cluster once #18557 is in - if err := h.getConsulTokens(structs.ConsulDefaultCluster, task.Identity.Name, tokens, req); err != nil { - return err - } - - // alt identities + // get tokens for alt identities for Consul mErr := multierror.Error{} for _, i := range task.Identities { + if i.Name != fmt.Sprintf("consul_%s", consulConfig.Name) { + continue + } ti := widmgr.TaskIdentity{ TaskName: task.Name, IdentityName: i.Name, diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go index 3a5159ae9ca..c59bbae6455 100644 --- a/client/allocrunner/taskrunner/consul_hook.go +++ b/client/allocrunner/taskrunner/consul_hook.go @@ -46,7 +46,7 @@ func newConsulHook(logger log.Logger, tr *TaskRunner, hookResources *cstructs.Al } func (*consulHook) Name() string { - return "consul" + return "consul_task" } func (h *consulHook) Prestart(context.Context, *interfaces.TaskPrestartRequest, *interfaces.TaskPrestartResponse) error {