Merge pull request voxpupuli#487 from spuder/patch-1

Clarify how to use the new acl system
spuder · Jul 28, 2019 · a9ca7f1 · a9ca7f1
2 parents b04670f + 71daf99
commit a9ca7f1
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -232,7 +232,34 @@ consul_token {'test_token':
   ],
 }
 ```
+Here is an exmaple to automatically create a policy and acl for each host. 
+For development environments `acl_api_token` can be the bootstrap token. For production it should be a dedicated token with access to write/read from the acls. 
 
+```
+  # Crate ACL policy that allows nodes to update themselves and read others
+  consul_policy { $::hostname:
+    description => "${::hostname}, generated by puppet",
+    rules => [
+      {
+        'resource' => 'node',
+        'segment' => "$::hostname",
+        'disposition' => 'write'
+      },
+      {
+        'resource' => 'node',
+        'segment' => '',
+        'disposition' => 'read'
+      }
+    ],
+    acl_api_token => $acl_api_token
+  }
+
+  consul_token { $::hostname:
+    policies_by_name => ["${::hostname}"],
+    acl_api_token => $acl_api_token,
+  }
+ ```
+
 Predefining token secret is supported by setting secret_id property.
 
 Externally created tokens and policies may be used by referencing them by ID (Token: accessor_id property, Policy: ID property, linking: policies_by_id property)