Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update HCP bootstrapping to support existing clusters 1.15.x version #17305

Merged
merged 5 commits into from
May 12, 2023
Merged

Update HCP bootstrapping to support existing clusters 1.15.x version #17305

merged 5 commits into from
May 12, 2023

Conversation

hanshasselberg
Copy link
Member

@hanshasselberg hanshasselberg commented May 11, 2023
edited
Loading

Description

Manual backport of #16788.

Testing & Reproduction steps

Links

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

freddygv added 4 commits May 11, 2023 12:15
@freddygv @hanshasselberg
Persist HCP management token from server config
cbd7b32 
We want to move away from injecting an initial management token into
Consul clusters linked to HCP. The reasoning is that by using a separate
class of token we can have more flexibility in terms of allowing HCP's
token to co-exist with the user's management token.

Down the line we can also more easily adjust the permissions attached to
HCP's token to limit it's scope.

With these changes, the cloud management token is like the initial
management token in that iit has the same global management policy and
if it is created it effectively bootstraps the ACL system.
@freddygv @hanshasselberg
Update SDK and mock HCP server
25f3f05 
The HCP management token will now be sent in a special field rather than
as Consul's "initial management" token configuration.

This commit also updates the mock HCP server to more accurately reflect
the behavior of the CCM backend.
@freddygv @hanshasselberg
Refactor HCP bootstrapping logic and add tests
a3871de 
We want to allow users to link Consul clusters that already exist to
HCP. Existing clusters need care when bootstrapped by HCP, since we do
not want to do things like change ACL/TLS settings for a running
cluster.

Additional changes:

* Deconstruct MaybeBootstrap so that it can be tested. The HCP Go SDK
  requires HTTPS to fetch a token from the Auth URL, even if the backend
  server is mocked. By pulling the hcp.Client creation out we can modify
  its TLS configuration in tests while keeping the secure behavior in
  production code.

* Add light validation for data received/loaded.

* Sanitize initial_management token from received config, since HCP will
  only ever use the CloudConfig.MangementToken.
@freddygv @hanshasselberg
Add changelog entry
e913c9d
@github-actions github-actions bot added pr/dependencies PR specifically updates dependencies of project theme/cli Flags and documentation for the CLI interface theme/config Relating to Consul Agent configuration, including reloading labels May 11, 2023
@hanshasselberg hanshasselberg merged commit 42eec33 into release/1.15.x May 12, 2023
@hanshasselberg hanshasselberg deleted the backport_1_15_x_16916 branch May 12, 2023 21:01
@jjti jjti mentioned this pull request Aug 28, 2023
Closed
@dlaguerta dlaguerta mentioned this pull request Dec 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmurret jmurret jmurret approved these changes

Assignees
No one assigned
Labels
pr/dependencies PR specifically updates dependencies of project pr/no-backport theme/cli Flags and documentation for the CLI interface theme/config Relating to Consul Agent configuration, including reloading
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hanshasselberg @jmurret @freddygv