-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bootstrap the Consul ACL system if no token is given #10751
Conversation
This pull request is being automatically deployed with Vercel (learn more). vault-storybook – ./ui🔍 Inspect: https://vercel.com/hashicorp/vault-storybook/12grfbqes [Deployment for b892ffe canceled] |
a23e3cd
to
44b236f
Compare
44b236f
to
8768d99
Compare
8768d99
to
b4ea56a
Compare
Being able to bootstrap the ACL system of Consul is something that has long been asked of its Terraform provider (hashicorp/terraform-provider-consul#95). We always refused to implement a solution that would save this token in the Terraform state has the new ACL system in 1.4 meant that we could finally referenced some token without having access to their secret ID. Storing the bootstrap token in the state would have made this useless and would potentially be a security issue. This change makes it possible to configure a new Consul secret engine without providing a token, in that case Vault knows that the ACL system has not yet been boostraped and do it itself. This means that will at last be able to have completely automatic and secure Consul cluster creation using Terraform, this has been wanted by our users for some time now.
b4ea56a
to
b892ffe
Compare
Is there any hope for this to get merged? Would really love this functionality to be able to programmatically and idempotently bootstrap consul ACLs directly from a Terraform / Vault setup. |
@remilapeyre Hi Rémi. Thanks for the contribution to Vault and sorry for the delay. |
Hi @robmonte, conflicts should be fixed now :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a couple small change requests and some additional comments. Looks great!!
@remilapeyre I left a PR review with some feedback and small change requests. If you have any responses to them, please let me know. To avoid potential upcoming merge conflicts I am planning on getting this merged in very soon. If you don't have time to go through my review, I can move your commits into a new PR and make the updates myself on top of your work so you retain credit for your contribution. I'll wait a couple days before doing so. |
Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:hashicorp#10751
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
Hi @robmonte, I updated the PR based on your comments. Everything should be ready now. |
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
* Automatically bootstraps the Consul ACL system if no management token is given on the access config
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
* Automatically bootstraps the Consul ACL system if no management token is given on the access config
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:hashicorp/vault#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
* Bootstrap Nomad ACL system if no token is given Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul] it would be very useful to bootstrap Nomads ACL system and manage it in Vault. [boostrap-consul]:hashicorp/vault#10751 * Add changelog entry * Remove debug log line * Remove redundant else * Rename Nomad acl bootstrap param * Replace sleep with attempt to list nomad leader, setup will retry until successful * fmt
Being able to bootstrap the ACL system of Consul is something that has
long been asked of its Terraform provider (hashicorp/terraform-provider-consul#95).
We always refused to implement a solution that would save this token in
the Terraform state has the new ACL system in 1.4 meant that we could
finally referenced some token without having access to their secret ID.
Storing the bootstrap token in the state would have made this useless
and would potentially be a security issue.
This change makes it possible to configure a new Consul secret engine
without providing a token, in that case Vault knows that the ACL system
has not yet been boostraped and do it itself. This means that will at
last be able to have completely automatic and secure Consul cluster
creation using Terraform, this has been wanted by our users for some
time now.