-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable terminating gateways to use ACL Auth Method #1102
Changes from all commits
7dc6e25
b6f79b5
70a394d
b4ba641
9bf59b8
500a244
1e4c83e
ca14c3c
162ec69
cfd1275
875dd81
8b764b0
e9416cd
03a268e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -69,11 +69,11 @@ func TestTerminatingGateway(t *testing.T) { | |
// Register the external service | ||
registerExternalService(t, consulClient, "") | ||
|
||
// If ACLs are enabled we need to update the token of the terminating gateway | ||
// If ACLs are enabled we need to update the role of the terminating gateway | ||
// with service:write permissions to the static-server service | ||
// so that it can can request Connect certificates for it. | ||
if c.secure { | ||
updateTerminatingGatewayToken(t, consulClient, staticServerPolicyRules) | ||
updateTerminatingGatewayRole(t, consulClient, staticServerPolicyRules) | ||
} | ||
|
||
// Create the config entry for the terminating gateway. | ||
|
@@ -133,32 +133,32 @@ func registerExternalService(t *testing.T, consulClient *api.Client, namespace s | |
require.NoError(t, err) | ||
} | ||
|
||
func updateTerminatingGatewayToken(t *testing.T, consulClient *api.Client, rules string) { | ||
func updateTerminatingGatewayRole(t *testing.T, consulClient *api.Client, rules string) { | ||
t.Helper() | ||
|
||
// Create a write policy for the static-server. | ||
logger.Log(t, "creating a write policy for the static-server") | ||
_, _, err := consulClient.ACL().PolicyCreate(&api.ACLPolicy{ | ||
Name: "static-server-write-policy", | ||
Rules: rules, | ||
}, nil) | ||
require.NoError(t, err) | ||
|
||
// Get the terminating gateway token. | ||
tokens, _, err := consulClient.ACL().TokenList(nil) | ||
logger.Log(t, "getting the terminating gateway role") | ||
roles, _, err := consulClient.ACL().RoleList(nil) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could use the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I will follow up with this. I originally tried it, but I don't think I was passing in the correct name. |
||
require.NoError(t, err) | ||
var termGwTokenID string | ||
for _, token := range tokens { | ||
if strings.Contains(token.Description, "terminating-gateway-terminating-gateway-token") { | ||
termGwTokenID = token.AccessorID | ||
terminatingGatewayRoleID := "" | ||
for _, role := range roles { | ||
if strings.Contains(role.Name, "terminating-gateway") { | ||
terminatingGatewayRoleID = role.ID | ||
break | ||
} | ||
} | ||
termGwToken, _, err := consulClient.ACL().TokenRead(termGwTokenID, nil) | ||
require.NoError(t, err) | ||
|
||
// Add policy to the token and update it | ||
termGwToken.Policies = append(termGwToken.Policies, &api.ACLTokenPolicyLink{Name: "static-server-write-policy"}) | ||
_, _, err = consulClient.ACL().TokenUpdate(termGwToken, nil) | ||
logger.Log(t, "update role with policy") | ||
termGwRole, _, err := consulClient.ACL().RoleRead(terminatingGatewayRoleID, nil) | ||
require.NoError(t, err) | ||
termGwRole.Policies = append(termGwRole.Policies, &api.ACLTokenPolicyLink{Name: "static-server-write-policy"}) | ||
_, _, err = consulClient.ACL().RoleUpdate(termGwRole, nil) | ||
require.NoError(t, err) | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: we should make sure to include it terminating gw docs (it looks like right now we don't have any docs about updating token policy but I think we definitely should add it https://www.consul.io/docs/k8s/connect/terminating-gateways). We'd also need to call it out as a breaking change for anyone using terminating gateway today because if they have updated their token policy for the service, it will not apply anymore because we'll be using a token from
consul login
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 When Luke asked me about what I was working on last week, he mentioned this part of that doc would need to change to reflect updating role rather than the token. I used what he described to do the acceptance test change and plan on updating this doc now based on the acceptance test change.