Bootstrap the Consul ACL system if no token is given #10751
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This pull request is being automatically deployed with Vercel (learn more). vault-storybook – ./ui🔍 Inspect: https://vercel.com/hashicorp/vault-storybook/12grfbqes [Deployment for b892ffe canceled] |
remilapeyre
force-pushed
the
bootstrap-consul
branch
from
a23e3cd
to
44b236f
Compare
remilapeyre
force-pushed
the
bootstrap-consul
branch
from
44b236f
to
8768d99
Compare
remilapeyre
changed the title
remilapeyre
force-pushed
the
bootstrap-consul
branch
from
8768d99
to
b4ea56a
Compare
Being able to bootstrap the ACL system of Consul is something that has long been asked of its Terraform provider (hashicorp/terraform-provider-consul#95). We always refused to implement a solution that would save this token in the Terraform state has the new ACL system in 1.4 meant that we could finally referenced some token without having access to their secret ID. Storing the bootstrap token in the state would have made this useless and would potentially be a security issue. This change makes it possible to configure a new Consul secret engine without providing a token, in that case Vault knows that the ACL system has not yet been boostraped and do it itself. This means that will at last be able to have completely automatic and secure Consul cluster creation using Terraform, this has been wanted by our users for some time now.
remilapeyre
force-pushed
the
bootstrap-consul
branch
from
b4ea56a
to
b892ffe
Compare
|
Is there any hope for this to get merged? Would really love this functionality to be able to programmatically and idempotently bootstrap consul ACLs directly from a Terraform / Vault setup. |
|
@remilapeyre Hi Rémi. Thanks for the contribution to Vault and sorry for the delay. |
|
Hi @robmonte, conflicts should be fixed now :) |
robmonte
requested changes
Apr 14, 2022
robmonte
reviewed
Apr 14, 2022
|
@remilapeyre I left a PR review with some feedback and small change requests. If you have any responses to them, please let me know. To avoid potential upcoming merge conflicts I am planning on getting this merged in very soon. If you don't have time to go through my review, I can move your commits into a new PR and make the updates myself on top of your work so you retain credit for your contribution. I'll wait a couple days before doing so. |
Mongey
added a commit
to Mongey/vault
that referenced
this pull request
Apr 19, 2022
Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:hashicorp#10751
swenson
pushed a commit
that referenced
this pull request
Apr 20, 2022
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
|
Hi @robmonte, I updated the PR based on your comments. Everything should be ready now. |
robmonte
approved these changes
Apr 20, 2022
schultz-is
pushed a commit
that referenced
this pull request
Apr 27, 2022
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
schultz-is
pushed a commit
that referenced
this pull request
Apr 27, 2022
* Automatically bootstraps the Consul ACL system if no management token is given on the access config
schultz-is
pushed a commit
that referenced
this pull request
May 2, 2022
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
schultz-is
pushed a commit
that referenced
this pull request
May 2, 2022
* Automatically bootstraps the Consul ACL system if no management token is given on the access config
JanMa
pushed a commit
to JanMa/openbao-plugin-secrets-nomad
that referenced
this pull request
Jan 28, 2024
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:hashicorp/vault#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
JanMa
pushed a commit
to JanMa/openbao-plugin-secrets-nomad
that referenced
this pull request
Jan 28, 2024
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:hashicorp/vault#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Being able to bootstrap the ACL system of Consul is something that has
long been asked of its Terraform provider (hashicorp/terraform-provider-consul#95).
We always refused to implement a solution that would save this token in
the Terraform state has the new ACL system in 1.4 meant that we could
finally referenced some token without having access to their secret ID.
Storing the bootstrap token in the state would have made this useless
and would potentially be a security issue.
This change makes it possible to configure a new Consul secret engine
without providing a token, in that case Vault knows that the ACL system
has not yet been boostraped and do it itself. This means that will at
last be able to have completely automatic and secure Consul cluster
creation using Terraform, this has been wanted by our users for some
time now.