Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create anonymous-policy and token from non-default partitions. #966

Merged
merged 6 commits into from
Jan 24, 2022

Conversation

thisisnotashwin
Copy link
Contributor

@thisisnotashwin thisisnotashwin commented Jan 14, 2022

Changes proposed in this PR:

  • Ensure the anonymous token in the default partition is updated to support cross-partition DNS resolution even if the server-acl-init is running in a non-default partition. This ensures DNS lookups work even if the default partition is on VMs and hence does not have the requisite policy required to do the same.
  • Update SDK to the latest version that update which updates ACL.Tokens.Master to ACL.Tokens.InitialManagement

How I've tested this PR:

  • Acceptance tests don't break
  • Tested on HCP with help from the cloud team.

How I expect reviewers to test this PR:

  • 👀

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@thisisnotashwin thisisnotashwin marked this pull request as ready for review January 14, 2022 22:31
@thisisnotashwin thisisnotashwin requested review from ndhanushkodi, a team and ishustava and removed request for a team January 14, 2022 22:32
@thisisnotashwin thisisnotashwin marked this pull request as draft January 18, 2022 21:38
Copy link
Contributor

@ndhanushkodi ndhanushkodi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great Ashwin! To make sure I understand correctly-- from any new partition where server-acl-init is run, it will idempotently configure the anonymous policy in the default partition?

@ndhanushkodi
Copy link
Contributor

Oh I see it got updated to draft, just re-request me if you need a review again later

@thisisnotashwin
Copy link
Contributor Author

Looks great Ashwin! To make sure I understand correctly-- from any new partition where server-acl-init is run, it will idempotently configure the anonymous policy in the default partition?

Exactly!!

Oh I see it got updated to draft, just re-request me if you need a review again later

Yeah. Iryna and I had a conversation and I think I know how I want to test this. Will un-draft it once I have a unit test and re-request a review. Sorry bout that.

@thisisnotashwin thisisnotashwin force-pushed the always-create-anon-token branch from 60c54bf to 86d1565 Compare January 21, 2022 00:16
@thisisnotashwin thisisnotashwin force-pushed the always-create-anon-token branch from 86d1565 to 03c7e3b Compare January 21, 2022 00:21
@thisisnotashwin thisisnotashwin marked this pull request as ready for review January 21, 2022 00:23
@@ -129,4 +129,6 @@ require (
sigs.k8s.io/yaml v1.2.0 // indirect
)

replace github.com/hashicorp/consul/sdk v0.9.0 => github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was to update the version of the consul/sdk without impacting the version of the consul/api.

@@ -70,7 +70,7 @@ commands:
type: string
consul-k8s-image:
type: string
default: "docker.mirror.hashicorp.services/hashicorpdev/consul-k8s-control-plane:latest"
default: "ashwinvenkatesh/consul-k8s@sha256:9b46fae446fcf99c715d9063231857eef5525830f2cd3cdcb46266c84db11deb"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will be deleted before merge.

Copy link
Contributor

@ishustava ishustava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Just a couple of minor edits

CHANGELOG.md Outdated Show resolved Hide resolved
Copy link
Contributor

@ndhanushkodi ndhanushkodi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!! The test is :chefs_kiss!!

Ashwin Venkatesh and others added 3 commits January 24, 2022 13:11
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
@thisisnotashwin thisisnotashwin merged commit 37c409d into main Jan 24, 2022
@thisisnotashwin thisisnotashwin deleted the always-create-anon-token branch January 24, 2022 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants