Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consul namespaces feature #349

Merged
merged 7 commits into from
Sep 24, 2020
Merged

Consul namespaces feature #349

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
eee5d5b
add consul namespaces feature
zhenik Sep 22, 2020
7f739df
fix linter
zhenik Sep 22, 2020
2285595
fix condition for tasks
zhenik Sep 23, 2020
422fd43
fix tests
zhenik Sep 23, 2020
9343b7f
fix binary
zhenik Sep 23, 2020
f70a385
explicit token
zhenik Sep 23, 2020
f9a7a19
add tag: tests
zhenik Sep 24, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# Changelog

## [0.5.0 UNRELEASED]

### Added

- Consul namespace feature #346

## [0.4.3]

### Added
Expand Down
3 changes: 3 additions & 0 deletions ansible/bootstrap.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,9 +125,12 @@

- name: Test consul_acl
include_tasks: tests/consul_acl_test.yml
when: lookup('env', 'consul_acl') | bool and lookup('env', 'consul_acl_default_policy') == 'deny'
tags: test

- name: Test enterprise features
include_tasks: tests/enterprise_test.yml
tags: test

- name: Run the nomad acl bootstrap process
include_tasks: nomad_acl_bootstrap.yml
Expand Down
4 changes: 0 additions & 4 deletions ansible/tests/consul_acl_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
until: result.status == 403
retries: 5
delay: 1
when: lookup('env', 'consul_acl') | bool and lookup('env', 'consul_acl_default_policy') == 'deny'

- name: default_policy=deny - access granted with correct token
uri:
Expand All @@ -18,7 +17,6 @@
until: result.status == 200
retries: 5
delay: 1
when: lookup('env', 'consul_acl') | bool and lookup('env', 'consul_acl_default_policy') == 'deny'

- name: default_policy=deny - list services without token, does not show service consul
uri:
Expand All @@ -30,7 +28,6 @@
retries: 5
delay: 1
failed_when: services_payload_1.json["consul"] is defined
when: lookup('env', 'consul_acl') | bool and lookup('env', 'consul_acl_default_policy') == 'deny'

- name: default_policy=deny - list services, with correct token, contains service consul
uri:
Expand All @@ -43,5 +40,4 @@
until: services_payload_2.status == 200
retries: 5
delay: 1
when: lookup('env', 'consul_acl') | bool and lookup('env', 'consul_acl_default_policy') == 'deny'
failed_when: services_payload_2.json["consul"] is not defined
159 changes: 159 additions & 0 deletions ansible/tests/enterprise/consul_namespaces_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
# User-story -> namespaces in Consul
# Aim: show resource isolation of services
# Reference: https://youtu.be/Ff6kLvKkJBE

# 1. [Master token]
# 1. Register service in namespace=default
# 2. Create namespaces ["team1", "team2"]
# 3. Generate admin tokens for namespaces ["team1", "team2"]
# 2. [Admin team1/team2 token]
# 1. Verify read/write access, try list/register services

- name: Verify that consul acl enabled and default_policy is deny
shell: consul acl policy list
register: consul_acl_default_policy_check
environment:
CONSUL_HTTP_TOKEN: ""
# must exit:1 -> 403 unauthorized
failed_when: consul_acl_default_policy_check.rc == 0

# 1.1
- name: Register service 'web' in namespace=default with master token
shell: consul services register -name=web -address=1.1.1.1 -port=80
register: register_service_try_1
environment:
CONSUL_HTTP_TOKEN: master
failed_when: register_service_try_1.rc > 0

- name: De-register service 'web' in namespace=default with master token
shell: consul services deregister -namespace=default -id=web
register: deregister_service_try_1
environment:
CONSUL_HTTP_TOKEN: master
failed_when: deregister_service_try_1.rc > 0


# 1.2
- name: Create namespace ["team1", "team2"] with master token
shell: |
consul namespace create -name=team1 -description="Team1 namespace" -meta="team-id=team1" -format=json \
&& consul namespace create -name=team2 -description="Team2 namespace" -meta="team-id=team2" -format=json
register: create_namespaces
environment:
CONSUL_HTTP_TOKEN: master
failed_when: create_namespaces.rc > 0


# 1.3 Generate tokens
- name: Create administrator token for team1
shell: >
consul acl token create \
-format=json \
-namespace=team1 \
-description="Team1 administrator" \
-policy-name="namespace-management" \
| jq -r .SecretID
register: team1_namespace_admin_token
environment:
CONSUL_HTTP_TOKEN: master

- name: Create administrator token for team2
shell: >
consul acl token create \
-format=json \
-namespace=team2 \
-description="Team2 administrator" \
-policy-name="namespace-management" \
| jq -r .SecretID
register: team2_namespace_admin_token
environment:
CONSUL_HTTP_TOKEN: master

# 2.1. Verify read/write access, try list/register services
- name: Try to read namespace-management policy namespace team1 with admin token team1 - success
shell: consul acl policy read -namespace=team1 -name=namespace-management
register: read_policy_try_1
environment:
CONSUL_HTTP_TOKEN: "{{ team1_namespace_admin_token.stdout }}"
failed_when: read_policy_try_1.rc > 0

- name: Try to read namespace-management policy namespace team2 with admin token team1 - should fail
shell: consul acl policy read -namespace=team2 -name=namespace-management
register: read_policy_try_2
environment:
CONSUL_HTTP_TOKEN: "{{ team1_namespace_admin_token.stdout }}"
failed_when: read_policy_try_2.rc == 0

- name: Try to read namespace-management policy namespace team2 without any token - should fail
shell: consul acl policy read -namespace=team2 -name=namespace-management
register: read_policy_try_3
environment:
CONSUL_HTTP_TOKEN: ""
failed_when: read_policy_try_3.rc == 0

- name: Try register service 'some-web' in namespace=default with admin token team1 - should fail
shell: consul services register -namespace=default -name=some-web -address=1.1.1.1 -port=80
register: register_service_try_2
environment:
CONSUL_HTTP_TOKEN: "{{ team1_namespace_admin_token.stdout }}"
failed_when: register_service_try_2.rc == 0

- name: Debug register_service_try_2
debug:
msg: "register_service_try_2 {{ register_service_try_2 }}"

- name: Try register service 'some-web' in namespace=team2 with admin token team1 - should fail
shell: consul services register -namespace=team2 -name=some-web -address=1.1.1.1 -port=80
register: register_service_try_3
environment:
CONSUL_HTTP_TOKEN: "{{ team1_namespace_admin_token.stdout }}"
failed_when: register_service_try_3.rc == 0

- name: Debug register_service_try_3
debug:
msg: "register_service_try_3 {{ register_service_try_3 }}"

- name: Try register service 'some-web' in namespace=team1 with admin token team1 - success
shell: consul services register -namespace=team1 -name=some-web -address=1.1.1.1 -port=80
zhenik marked this conversation as resolved.
Show resolved Hide resolved
register: register_service_try_4
environment:
CONSUL_HTTP_TOKEN: "{{ team1_namespace_admin_token.stdout }}"
failed_when: register_service_try_4.rc > 0

- name: Debug register_service_try_4
debug:
msg: "register_service_try_4 {{ register_service_try_4 }}"

# 2. Verify read access, try list services
# NB `consul catalog services` cli command does not fail in case of wrong token, instead return an empty list of services
- name: List catalog namespace=team1 with admin token namespace=team1 - 'some-web' found
shell: consul catalog services -namespace=team1
register: list_catalog_try_1
environment:
CONSUL_HTTP_TOKEN: "{{ team1_namespace_admin_token.stdout }}"
failed_when: list_catalog_try_1.stdout is not search("some-web")

- name: Debug list of services in namespace=team1
debug:
msg: "{{ list_catalog_try_1 }}"

- name: Try list catalog namespace team1 without any token - 'some-web' not found
shell: consul catalog services -namespace=team1
register: list_catalog_try_2
environment:
CONSUL_HTTP_TOKEN: ""
failed_when: list_catalog_try_2.stdout is search("some-web")

- name: Try list catalog namespace=team1 with admin token namespace=team2 - 'some-web' not found
shell: consul catalog services -namespace=team2
register: list_catalog_try_3
environment:
CONSUL_HTTP_TOKEN: "{{ team2_namespace_admin_token.stdout }}"
failed_when: list_catalog_try_3.stdout is search("some-web")

- name: De-register service 'some-web' in namespace=team1 with admin token namespace=team1
shell: consul services deregister -namespace=team1 -id=some-web
register: deregister_service_try_2
environment:
CONSUL_HTTP_TOKEN: "{{ team1_namespace_admin_token.stdout }}"
failed_when: deregister_service_try_2.rc > 0
10 changes: 9 additions & 1 deletion ansible/tests/enterprise_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,12 @@
failed_when: vault_ent_version_result.rc != 0
when: lookup('env', "vault_enterprise") | bool

# Enterprise features
# Enterprise features

# consul namespaces feature active when:
# - consul_acl=true
# - consul_enterprise=true
# - consul_acl_default_policy=deny
- name: Include consul namespaces feature
include_tasks: enterprise/consul_namespaces_test.yml
when: lookup('env', 'consul_acl') | bool and lookup('env', 'consul_acl_default_policy') == 'deny' and lookup('env', "consul_enterprise") | bool