ACLs: Support external servers #420
Conversation
ishustava
added
area/acls
* server-acl-init-job sets server addresses if 'externalServers.enabled' is true * server-acl-init and server-acl-init-cleanup jobs and resources now run either when servers are enabled or when externalServers are enabled * Add new acls.bootstrapToken value for providing your own bootstrap token.
ishustava
force-pushed
the
acl-init-external-servers
branch
from
f6f206e to
975a7b7
Compare
|
Have a question @ishustava Great suggestion for the new feature. My question is, after adding this capability, how can we customize which client node gets what type of policy (read/write) and which service gets what policy. Looks like the additional configuration in the helm chart here, will ask for a 'standard' policy to be set on the consul server? For example, using this - all client nodes (in the form of a k8s node) will get the same policy, correct? Or is there room to customize policy per client node? |
|
Hey @pratiklotia, thanks for your feedback. Correct, at the moment, all client pods are given the same token even if servers are deployed on k8s too. This is a good point though and is something that has come up before. I think we should look into giving clients a unique token and making their policies more restrictive, but I think this is out-of-scope for this feature. I've filed #425 to track this separately. |
There was a problem hiding this comment.
I really like the addition of the $serverEnabled variable in the templates! It makes the logic very clear.
Warnings?
Should we warn folks using external servers if their client.join and externalServers.https.address values don't match?
Should we warn folks if externalServers.enabled=true and servers are enabled?
External server options
I'm having a hard time parsing some of the external server options. Specifically when to use them, whether they're optional and why I might need to set them.
https: Is this entire block optional since we fall back to theclient.joinsetup?https:address: It would be helpful to mention that this can't include a port.https.port: Would there ever be a case where I've set myclient.joinproperty, but the port is pulled from here? Could that cause problems?tlsServerNameanduseSystemRoots: Are these only useful settings when using a custom CA?
Should externalServers.https.address be an array? It mirrors client.join which is an array.
Tests
Any logic that references both server and externalServers needs to do an exclusion test by setting server.enabled to false since servers are enabled by default in the Helm chart.
* Remove authMethodConfig.caCert property because it's likely pretty uncommon. * Fail if both server and externalServers are enabled * Add missing tests
|
@adilyse Thanks so much for the review and organizing your thoughts so clearly! I've updated the PR with your suggestions. The main change that came out of that was the configuration change. I think allowing configuring a custom CA cert for the auth method will be pretty uncommon, and so I'd rather punt on adding that configuration. As a result, the With regards to the placement of this config property, I chose the Below are my responses to your other questions:
No, because the purpose of this property is to be able to overwrite the client.join address used by default.
Yep, I think that's a good idea. I'll add a failure to the templates and tests. I've also added a warning to the comment for the
Yes.
Updated the comment.
I'm not sure what you mean; maybe you have an example in mind? Your
We don't need this to be an array because we only need one server to talk to, doesn't matter which one.
Good call! I've added missing tests. |
There was a problem hiding this comment.
All of the updates look really good! The tests in particular are 💯 🎉
The one major concern I still have with this is the client.join and its interaction with externalServers.https.port. We learned yesterday that the retry-join flag can take a port value. If someone has this set in their client.join and hasn't updated the externalServers.https.port since they assume it's taken care of by client.join, we'll overwrite that port with the default value of 443.
Given the complexity of splitting off the port, does it make sense to ask people to instead explicitly set the server address?
| # This address must to be reachable from the Consul servers. | ||
| # Please see https://www.consul.io/docs/acl/auth-methods/kubernetes.html. | ||
| # Requires consul-k8s >= 0.14.0. | ||
| overrideAuthMethodHost: "" |
There was a problem hiding this comment.
I still think this makes more sense to be under the externalServers section. You can set it when not using external servers, but it's unlikely that very many people will need. On the other hand, it could be quite common for folks running external servers to need to make use of this value. It could be easy to miss it though, since it's not grouped with those settings.
| {{- if not .Values.externalServers.enabled }} | ||
| -server-port=8501 \ | ||
| {{- end }} |
There was a problem hiding this comment.
This might make sense to be set near the -server-address flag.
|
If somebody has provided a client.join with a port, then I think we can make the server-acl-init command ignore the port if it's provided to the I'm not super concerned with port being overwritten because |
Co-Authored-By: Rebecca Zanzig <[email protected]>
Co-Authored-By: Rebecca Zanzig <[email protected]>
Problem
Currently, we support ACL bootstrapping only if the servers are also deployed on Kubernetes. If you're running servers elsewhere, we currently recommend bootstrapping ACLs yourself and setting up the correct policies and tokens for the k8s components. You could then set them as values, e.g.
syncCatalog.aclSyncTokenorconnectInject.overrideAuthMethodNameandconnectInject.aclInjectToken.However, figuring out the right policies is hard, and creating them yourself is still a manual process. Even though servers are running externally, our knowledge about the policies and tokens you need doesn't change since we still consume them from the Helm chart. The workaround right now is to create a Kubernetes secret with the bootstrap token named something that the Helm chart expects. This will trick the job into thinking that the bootstrapping was already done and it will continue to create tokens and policies for the rest of the components.
See #413 for a bit more details.
Proposal
This PR proposes to use the new
externalServersconfiguration to enable the server-acl-init job to talk to external servers.It also provides two ways of "initializing" ACLs for external servers:
acl/bootstrapAPI and then provide the bootstrap token by settingglobal.acls.bootstrapTokensecret. The Helm config for this use case could look like this:Testing
This PR can be tested on AKS with the Helm configs above and the
ishustava/consul-k8s-dev:04-16-2020-ae132bcimage.Requires #401 to be merged first.