Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is no documentation about what Nomad permissions are required when using ACLs with the Nomad provider #9677

Closed
2 tasks done
regner opened this issue Jan 27, 2023 · 5 comments
Closed
2 tasks done

There is no documentation about what Nomad permissions are required when using ACLs with the Nomad provider #9677

regner opened this issue Jan 27, 2023 · 5 comments
Labels
area/provider/nomad contributor/waiting-for-feedback status/0-needs-triage status/5-frozen-due-to-age

Comments

@regner
Copy link
Contributor

regner commented Jan 27, 2023

Welcome!

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

Ran Traefik with the Nomad provider enabled pointing at a Nomad cluster that has ACLs enabled.

What did you see instead?

time="2023-01-27T14:46:48Z" level=error msg="Provider connection error failed to load initial nomad services: Unexpected response code: 403 (Permission denied), retrying in 6.129399793s" providerName=nomad

What version of Traefik are you using?

2.9.6

What is your environment & configuration?

providers:
  nomad:
    exposedByDefault: false
    endpoint:
      address: "http://{{ env "attr.unique.network.ip-address" }}:4646"

If applicable, please paste the log output in DEBUG level

No response
@mpl
Copy link
Collaborator

mpl commented Jan 30, 2023

Hello @regner ,

have you seen and made sur to configure this part:
https://doc.traefik.io/traefik/providers/nomad/#token
?

@regner
Copy link
Contributor Author

regner commented Jan 30, 2023
edited

Hey @mpl,

Thank you for the response. Yes I have configured a token, and that is the problem here. Tokens in Nomad are associated with ACL policies. ACL policies can be fairly fine grained with what they allow and what they don't allow.

What I am hoping for is documentation on what permissions Traefik needs so I can create a relevant ACL policy in Nomad.

The alternative, which I would not be willing to ship to production, is generating a token against a policy that just allows everything. I have done this for local testing, and it works, but as I said am unwilling to do that in production.

More information about Nomad ACLs can be found here:

Again thanks for the response. Hope this clarifies things and apologies for not including more information with the original ticket.

@rtribotte
Copy link
Member

Hello @regner,

Thanks for the explanation and details, indeed, it clarifies the situation.

Traefik is only discovering services (LIST, GET), so, as per the Hashicorp documentation, the needed capabilities should be read-job for the service's namespace.

Could you try to give this capability to Traefik?

@regner
Copy link
Contributor Author

regner commented Jan 31, 2023

Hey! Thanks, I will give that a shot when I can (hopefully tomorrow). I would think it needs list-jobs and read-job. Either way, I will test and get back to you. Thanks for the response.

@traefiker
Copy link
Contributor

Hi! I'm Træfiker 🤖 the bot in charge of tidying up the issues.I have to close this one because of its lack of activity 😞Feel free to re-open it or join our Community Forum.

@traefik traefik locked and limited conversation to collaborators May 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/provider/nomad contributor/waiting-for-feedback status/0-needs-triage status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mpl @regner @nmengin @rtribotte @traefiker