Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api-gateway: add node:read policy #1018

Merged
merged 4 commits into from Feb 7, 2022
Merged

api-gateway: add node:read policy #1018

merged 4 commits into from Feb 7, 2022

Conversation

mikemorris
Copy link
Contributor

@mikemorris mikemorris commented Feb 3, 2022
edited

To avoid silently filtering all nodes when ACLs are enabled and returning an empty set when attempting to map routes to Consul services registered in consul-k8s

Changes proposed in this PR:

  • Add node_prefix "" { policy = "read" } to the API Gateway template for server-acl-init

How I've tested this PR:

  • Manually applying this change fixed an error loop when deploying Consul API Gateway in GKE with ACLs enabled.

How I expect reviewers to test this PR:

  • Deploy Consul API Gateway via the Helm chart with the following config set
global:
  gossipEncryption:
    autoGenerate: true 
  tls:
    enabled: true
    enableAutoEncrypt: true
  acls:
    manageSystemACLs: true
  • Attempt to apply a route to the gateway - it should fail to attach before this fix, but succeed with this change.

Checklist:

  • Tests added
  • CHANGELOG entry added

@mikemorris
api-gateway: add node:read policy
9ea13e5 
To avoid silently filtering all nodes when ACLs are enabled and returning an empty set when attempting to map routes to Consul services registered in consul-k8s
andrewstucki
andrewstucki approved these changes Feb 3, 2022
View reviewed changes
Copy link
Member

@andrewstucki andrewstucki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the api gateway side of things, this LGTM, not sure if we want other k8s folks to sign off first though, also will need a Changelog entry.

andrewstucki
andrewstucki reviewed Feb 3, 2022
View reviewed changes
control-plane/subcommand/server-acl-init/rules.go
@@ -154,6 +154,9 @@ namespace_prefix "" {
policy = "write"
intentions = "write"
}
node_prefix "" {
policy = "read"
}
{{- if .EnableNamespaces }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for posterity sake, this enables this particular api call. Without the ACL, the call returns an empty node set and the controller is unable to resolve any Consul services needed in an HTTPRoute configuration.

@nathancoleman nathancoleman requested review from a team, ndhanushkodi and thisisnotashwin and removed request for a team February 3, 2022 22:03
@nathancoleman
Copy link
Member

I've requested review from @hashicorp/consul-eco-platform since that's who I was pointed to yesterday

@mikemorris mikemorris requested review from andrewstucki and a team February 3, 2022 22:06
ndhanushkodi
ndhanushkodi approved these changes Feb 4, 2022
View reviewed changes
Copy link
Contributor

@ndhanushkodi ndhanushkodi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@nathancoleman nathancoleman merged commit 8c5c627 into main Feb 7, 2022
@nathancoleman nathancoleman deleted the api-gateway/node-read branch February 7, 2022 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathancoleman nathancoleman nathancoleman approved these changes

@ndhanushkodi ndhanushkodi ndhanushkodi approved these changes

@thisisnotashwin thisisnotashwin Awaiting requested review from thisisnotashwin thisisnotashwin was automatically assigned from hashicorp/consul-kubernetes

@andrewstucki andrewstucki Awaiting requested review from andrewstucki

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mikemorris @nathancoleman @andrewstucki @ndhanushkodi