-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add suport for Consul service-identities and node-identities #15295
Conversation
Tokens can now be generated with any combination of policies, roles, service identities, and node identities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Thanks for adding tests around the changes, and good call on using TypeStringSlice
instead -- definitely looks much cleaner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Nice job, @robmonte 👍
This PR is a rebase of #10607
This adds Consul secrets engine support for node-identities and service-identities.
When writing a Vault role, you can specify node-identity or service-identity like so:
vault write consul/roles/serv-id-role service_identities="webserv-1:dc1"
or
vault write consul/roles/node-id-role node_identities="client-1:dc1"
You can specify multiple of each identity on a Vault role. Service-identities are semicolon-separated because you can have a list of datacenters, while node-identities are just comma-separated.
vault write consul/roles/serv-id-role service_identities="webserv-1:dc1,dc2,dc3;webserv-2;webserv-3:dc1"
or
vault write consul/roles/node-id-role node_identities="client-1:dc1,client-2;client-3:dc2"
Then to obtain a token from Consul, you simply give the role like normal:
vault read consul/creds/serv-id-role
vault read consul/creds/node-id-role