Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bootstrap the Consul ACL system if no token is given #10751

Merged
merged 5 commits into from
Apr 20, 2022

Conversation

remilapeyre
Copy link
Contributor

Being able to bootstrap the ACL system of Consul is something that has
long been asked of its Terraform provider (hashicorp/terraform-provider-consul#95).

We always refused to implement a solution that would save this token in
the Terraform state has the new ACL system in 1.4 meant that we could
finally referenced some token without having access to their secret ID.
Storing the bootstrap token in the state would have made this useless
and would potentially be a security issue.

This change makes it possible to configure a new Consul secret engine
without providing a token, in that case Vault knows that the ACL system
has not yet been boostraped and do it itself. This means that will at
last be able to have completely automatic and secure Consul cluster
creation using Terraform, this has been wanted by our users for some
time now.

@vercel
Copy link

vercel bot commented Jan 24, 2021

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployments, click below or on the icon next to each commit.

vault-storybook – ./ui

🔍 Inspect: https://vercel.com/hashicorp/vault-storybook/12grfbqes
✅ Preview: Canceled

[Deployment for b892ffe canceled]

Being able to bootstrap the ACL system of Consul is something that has
long been asked of its Terraform provider (hashicorp/terraform-provider-consul#95).

We always refused to implement a solution that would save this token in
the Terraform state has the new ACL system in 1.4 meant that we could
finally referenced some token without having access to their secret ID.
Storing the bootstrap token in the state would have made this useless
and would potentially be a security issue.

This change makes it possible to configure a new Consul secret engine
without providing a token, in that case Vault knows that the ACL system
has not yet been boostraped and do it itself. This means that will at
last be able to have completely automatic and secure Consul cluster
creation using Terraform, this has been wanted by our users for some
time now.
@mike-sol
Copy link

mike-sol commented Feb 2, 2022

Is there any hope for this to get merged? Would really love this functionality to be able to programmatically and idempotently bootstrap consul ACLs directly from a Terraform / Vault setup.

@robmonte
Copy link
Member

robmonte commented Apr 6, 2022

@remilapeyre Hi Rémi. Thanks for the contribution to Vault and sorry for the delay.
@mike-sol I wanted to let you both know that this PR is on my radar. Due to some recent changes on our end, there's now conflicts with the PR files, but we have this PR tracked and prioritized internally now.

@remilapeyre remilapeyre requested a review from taoism4504 as a code owner April 9, 2022 21:11
@remilapeyre remilapeyre requested a review from a team April 9, 2022 21:11
@remilapeyre
Copy link
Contributor Author

Hi @robmonte, conflicts should be fixed now :)

Copy link
Member

@robmonte robmonte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple small change requests and some additional comments. Looks great!!

builtin/logical/consul/path_config.go Outdated Show resolved Hide resolved
builtin/logical/consul/client.go Outdated Show resolved Hide resolved
builtin/logical/consul/path_config.go Outdated Show resolved Hide resolved
helper/testhelpers/consul/consulhelper.go Show resolved Hide resolved
helper/testhelpers/consul/consulhelper.go Outdated Show resolved Hide resolved
website/content/docs/secrets/consul.mdx Show resolved Hide resolved
@robmonte
Copy link
Member

@remilapeyre I left a PR review with some feedback and small change requests. If you have any responses to them, please let me know.

To avoid potential upcoming merge conflicts I am planning on getting this merged in very soon. If you don't have time to go through my review, I can move your commits into a new PR and make the updates myself on top of your work so you retain credit for your contribution. I'll wait a couple days before doing so.

Mongey added a commit to Mongey/vault that referenced this pull request Apr 19, 2022
Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul]
it would be very useful to bootstrap Nomads ACL system and manage it in
Vault.

[boostrap-consul]:hashicorp#10751
swenson pushed a commit that referenced this pull request Apr 20, 2022
* Bootstrap Nomad ACL system if no token is given

Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul]
it would be very useful to bootstrap Nomads ACL system and manage it in
Vault.

[boostrap-consul]:#10751

* Add changelog entry

* Remove debug log line

* Remove redundant else

* Rename Nomad acl bootstrap param

* Replace sleep with attempt to list nomad leader, setup will retry until successful

* fmt
@remilapeyre
Copy link
Contributor Author

Hi @robmonte, I updated the PR based on your comments. Everything should be ready now.

@robmonte robmonte merged commit a694daa into hashicorp:main Apr 20, 2022
schultz-is pushed a commit that referenced this pull request Apr 27, 2022
* Bootstrap Nomad ACL system if no token is given

Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul]
it would be very useful to bootstrap Nomads ACL system and manage it in
Vault.

[boostrap-consul]:#10751

* Add changelog entry

* Remove debug log line

* Remove redundant else

* Rename Nomad acl bootstrap param

* Replace sleep with attempt to list nomad leader, setup will retry until successful

* fmt
schultz-is pushed a commit that referenced this pull request Apr 27, 2022
* Automatically bootstraps the Consul ACL system if no management token is given on the access config
schultz-is pushed a commit that referenced this pull request May 2, 2022
* Bootstrap Nomad ACL system if no token is given

Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul]
it would be very useful to bootstrap Nomads ACL system and manage it in
Vault.

[boostrap-consul]:#10751

* Add changelog entry

* Remove debug log line

* Remove redundant else

* Rename Nomad acl bootstrap param

* Replace sleep with attempt to list nomad leader, setup will retry until successful

* fmt
schultz-is pushed a commit that referenced this pull request May 2, 2022
* Automatically bootstraps the Consul ACL system if no management token is given on the access config
JanMa pushed a commit to JanMa/openbao-plugin-secrets-nomad that referenced this pull request Jan 28, 2024
* Bootstrap Nomad ACL system if no token is given

Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul]
it would be very useful to bootstrap Nomads ACL system and manage it in
Vault.

[boostrap-consul]:hashicorp/vault#10751

* Add changelog entry

* Remove debug log line

* Remove redundant else

* Rename Nomad acl bootstrap param

* Replace sleep with attempt to list nomad leader, setup will retry until successful

* fmt
JanMa pushed a commit to JanMa/openbao-plugin-secrets-nomad that referenced this pull request Jan 28, 2024
* Bootstrap Nomad ACL system if no token is given

Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul]
it would be very useful to bootstrap Nomads ACL system and manage it in
Vault.

[boostrap-consul]:hashicorp/vault#10751

* Add changelog entry

* Remove debug log line

* Remove redundant else

* Rename Nomad acl bootstrap param

* Replace sleep with attempt to list nomad leader, setup will retry until successful

* fmt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants