Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add suport for Consul service-identities and node-identities #15295

Merged
merged 13 commits into from
May 10, 2022
Merged

Add suport for Consul service-identities and node-identities #15295

merged 13 commits into from
May 10, 2022

Conversation

robmonte
Copy link
Member

@robmonte robmonte commented May 4, 2022

This PR is a rebase of #10607

This adds Consul secrets engine support for node-identities and service-identities.

When writing a Vault role, you can specify node-identity or service-identity like so:
vault write consul/roles/serv-id-role service_identities="webserv-1:dc1"
or
vault write consul/roles/node-id-role node_identities="client-1:dc1"

You can specify multiple of each identity on a Vault role. Service-identities are semicolon-separated because you can have a list of datacenters, while node-identities are just comma-separated.
vault write consul/roles/serv-id-role service_identities="webserv-1:dc1,dc2,dc3;webserv-2;webserv-3:dc1"
or
vault write consul/roles/node-id-role node_identities="client-1:dc1,client-2;client-3:dc2"

Then to obtain a token from Consul, you simply give the role like normal:
vault read consul/creds/serv-id-role
vault read consul/creds/node-id-role

@robmonte robmonte requested a review from taoism4504 as a code owner May 4, 2022 20:57
@robmonte robmonte requested a review from a team May 4, 2022 20:57
swenson
swenson reviewed May 5, 2022
View reviewed changes
builtin/logical/consul/path_roles.go Outdated Show resolved Hide resolved
builtin/logical/consul/path_token.go Outdated Show resolved Hide resolved
builtin/logical/consul/path_token.go Outdated Show resolved Hide resolved
calvn
calvn reviewed May 5, 2022
View reviewed changes
builtin/logical/consul/path_token.go Outdated Show resolved Hide resolved
builtin/logical/consul/path_token.go Outdated Show resolved Hide resolved
builtin/logical/consul/path_token.go Outdated Show resolved Hide resolved
builtin/logical/consul/path_roles.go Outdated Show resolved Hide resolved
@calvn calvn self-requested a review May 9, 2022 20:48
calvn
calvn approved these changes May 9, 2022
View reviewed changes
Copy link
Contributor

@calvn calvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks for adding tests around the changes, and good call on using TypeStringSlice instead -- definitely looks much cleaner.

austingebauer
austingebauer approved these changes May 10, 2022
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Nice job, @robmonte 👍

website/content/api-docs/secret/consul.mdx Show resolved Hide resolved
website/content/api-docs/secret/consul.mdx Show resolved Hide resolved
builtin/logical/consul/path_token_test.go Show resolved Hide resolved
@robmonte robmonte merged commit 4f3e668 into main May 10, 2022
@robmonte robmonte added this to the 1.11.0-rc1 milestone May 13, 2022
@robmonte robmonte deleted the rebase-consul-acl-identities branch October 5, 2022 07:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swenson swenson swenson left review comments

@austingebauer austingebauer austingebauer approved these changes

@calvn calvn calvn approved these changes

@taoism4504 taoism4504 Awaiting requested review from taoism4504

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.11.0-rc1
Development

Successfully merging this pull request may close these issues.
5 participants
@robmonte @swenson @calvn @austingebauer @kula