open-nomad/client/allocrunner
Tim Gross bfcbc00f4e workload identity (#13223)
In order to support implicit ACL policies for tasks to get their own
secrets, each task would need to have its own ACL token. This would
add extra raft overhead as well as new garbage collection jobs for
cleaning up task-specific ACL tokens. Instead, Nomad will create a
workload Identity Claim for each task.

An Identity Claim is a JSON Web Token (JWT) signed by the server’s
private key and attached to an Allocation at the time a plan is
applied. The encoded JWT can be submitted as the X-Nomad-Token header
to replace ACL token secret IDs for the RPCs that support identity
claims.

Whenever a key is is added to a server’s keyring, it will use the key
as the seed for a Ed25519 public-private private keypair. That keypair
will be used for signing the JWT and for verifying the JWT.

This implementation is a ruthlessly minimal approach to support the
secure variables feature. When a JWT is verified, the allocation ID
will be checked against the Nomad state store, and non-existent or
terminal allocation IDs will cause the validation to be rejected. This
is sufficient to support the secure variables feature at launch
without requiring implementation of a background process to renew
soon-to-expire tokens.
2022-07-11 13:34:05 -04:00
..
interfaces workload identity (#13223) 2022-07-11 13:34:05 -04:00
state chore: fixup inconsistent method receiver names. (#11704) 2021-12-20 11:44:21 +01:00
taskrunner workload identity (#13223) 2022-07-11 13:34:05 -04:00
alloc_runner.go client: enforce max_kill_timeout client configuration 2022-07-06 15:29:38 -05:00
alloc_runner_hooks.go client: hookup service wrapper for use within client hooks. 2022-03-21 10:29:57 +01:00
alloc_runner_test.go client: enforce max_kill_timeout client configuration 2022-07-06 15:29:38 -05:00
alloc_runner_unix_test.go Merge branch 'main' into f-1.3-boogie-nights 2022-03-23 09:41:25 +01:00
allocdir_hook.go client: cleanup and document context uses 2019-03-12 15:03:54 -07:00
cgroup_hook.go client/ar: thread through cpuset manager 2021-04-13 13:28:36 -04:00
config.go artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
consul_grpc_sock_hook.go cleanup: purge github.com/pkg/errors 2022-04-01 19:24:02 -05:00
consul_grpc_sock_hook_test.go test: use T.TempDir to create temporary test directory (#12853) 2022-05-12 11:42:40 -04:00
consul_http_sock_hook.go cleanup: purge github.com/pkg/errors 2022-04-01 19:24:02 -05:00
consul_http_sock_hook_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
csi_hook.go csi_hook: valid if any driver supports csi (#13446) 2022-06-22 10:43:43 -04:00
csi_hook_test.go csi_hook: valid if any driver supports csi (#13446) 2022-06-22 10:43:43 -04:00
groupservice_hook.go client: account for service provider namespace updates in hooks. (#12479) 2022-04-06 19:26:22 +02:00
groupservice_hook_test.go tests: remove update 08 groups services test 2022-03-31 10:14:22 -05:00
health_hook.go client: refactor common service registration objects from Consul. 2022-03-15 09:38:30 +01:00
health_hook_test.go Merge branch 'main' into f-1.3-boogie-nights 2022-03-23 09:41:25 +01:00
migrate_hook.go client: cleanup and document context uses 2019-03-12 15:03:54 -07:00
network_hook.go allow configuration of Docker hostnames in bridge mode (#11173) 2021-09-16 08:13:09 +02:00
network_hook_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
network_manager_linux.go allow configuration of Docker hostnames in bridge mode (#11173) 2021-09-16 08:13:09 +02:00
network_manager_linux_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
network_manager_nonlinux.go gofmt all the files 2021-10-01 10:14:28 -04:00
networking.go ar: isolate network actions performed by client 2021-02-02 23:24:57 -05:00
networking_bridge_linux.go cni: add loopback to linux bridge (#13428) 2022-06-20 11:22:53 -04:00
networking_cni.go gofmt all the files 2021-10-01 10:14:28 -04:00
networking_cni_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
task_hook_coordinator.go alloc_runner: stop sidecar tasks last (#13055) 2022-06-07 11:35:19 -04:00
task_hook_coordinator_test.go ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
testing.go artifact: fix numerous go-getter security issues 2022-05-24 16:29:39 -04:00
upstream_allocs_hook.go client: cleanup and document context uses 2019-03-12 15:03:54 -07:00
util.go allocrunnerv2 -> allocrunner 2018-10-16 16:56:56 -07:00