Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nomad Consul Legacy ACL Workflow Failing to Deregister Catalog Services on Job Updates #23534

Closed
natemollica-nm opened this issue Jul 10, 2024 · 2 comments
Closed

Nomad Consul Legacy ACL Workflow Failing to Deregister Catalog Services on Job Updates #23534

natemollica-nm opened this issue Jul 10, 2024 · 2 comments
Labels
hcc/cst Admin - internal stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/consul

Comments

@natemollica-nm
Copy link

natemollica-nm commented Jul 10, 2024
edited
Loading

Consul Nomad Legacy ACL Workflow Service Deregistrations Failing

Creating separate Issue for tracking and resolution from original issue #16616 for Nomad + Consul ACL legacy (non-WI) workflow.

Product Versioning

Consul: v1.19.0
Nomad: v1.8.1

Summary: Consul Catalog Service deregistrations fail upon Nomad Job updates despite the Nomad Agent's Consul ACL token being specified due to Consul defaulting to the anonymous token.

Workaround: Configure Consul client agent ACL stanza to include a token attached to a Consul ACL Token Policy that contains the rules below.

agent_prefix "" {
  policy = "read"
}
node_prefix "" {
  policy = "read"
}
service_prefix "" {
  policy = "write"
}
key_prefix "" {
  policy = "read"
}

Consul Client Agent Configuration Example:

      acl {
        enabled = true
        default_policy = "deny"
        down_policy = "extend-cache"
        tokens {
          initial_management = "<my_nomad_client_token_secretID>"
        }
      }
@tgross
Copy link
Member

tgross commented Jul 10, 2024

Internal ref https://hashicorp.atlassian.net/browse/NET-10360

@tgross tgross added theme/consul stage/accepted Confirmed, and intend to work on. No timeline committment though. hcc/cst Admin - internal labels Jul 10, 2024
@tgross
Copy link
Member

tgross commented Aug 16, 2024

As noted in #23800

Since Consul 1.15 (hashicorp/consul#16097) Consul client agent only uses the agent token to perform anti-entropy after you deregister a service via the Agent API. so the Consul client agent must have its own agent token.

@tgross tgross closed this as not planned Won't fix, can't repro, duplicate, stale Aug 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hcc/cst Admin - internal stage/accepted Confirmed, and intend to work on. No timeline committment though. theme/consul
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tgross @natemollica-nm