0a496c845e
This change introduces the Task API: a portable way for tasks to access Nomad's HTTP API. This particular implementation uses a Unix Domain Socket and, unlike the agent's HTTP API, always requires authentication even if ACLs are disabled. This PR contains the core feature and tests but followup work is required for the following TODO items: - Docs - might do in a followup since dynamic node metadata / task api / workload id all need to interlink - Unit tests for auth middleware - Caching for auth middleware - Rate limiting on negative lookups for auth middleware --------- Co-authored-by: Seth Hoenig <shoenig@duck.com>
100 lines
2 KiB
HCL
100 lines
2 KiB
HCL
job "api-auth" {
|
|
datacenters = ["dc1"]
|
|
type = "batch"
|
|
|
|
constraint {
|
|
attribute = "${attr.kernel.name}"
|
|
value = "linux"
|
|
}
|
|
|
|
group "api-auth" {
|
|
|
|
# none task should get a 401 response
|
|
task "none" {
|
|
driver = "docker"
|
|
config {
|
|
image = "curlimages/curl:7.87.0"
|
|
args = [
|
|
"--unix-socket", "${NOMAD_SECRETS_DIR}/api.sock",
|
|
"-v",
|
|
"localhost/v1/agent/health",
|
|
]
|
|
}
|
|
resources {
|
|
cpu = 16
|
|
memory = 32
|
|
disk = 64
|
|
}
|
|
}
|
|
|
|
# bad task should get a 403 response
|
|
task "bad" {
|
|
driver = "docker"
|
|
config {
|
|
image = "curlimages/curl:7.87.0"
|
|
args = [
|
|
"--unix-socket", "${NOMAD_SECRETS_DIR}/api.sock",
|
|
"-H", "X-Nomad-Token: 37297754-3b87-41da-9ac7-d98fd934deed",
|
|
"-v",
|
|
"localhost/v1/agent/health",
|
|
]
|
|
}
|
|
resources {
|
|
cpu = 16
|
|
memory = 32
|
|
disk = 64
|
|
}
|
|
}
|
|
|
|
# docker-wid task should succeed due to using workload identity
|
|
task "docker-wid" {
|
|
driver = "docker"
|
|
|
|
config {
|
|
image = "curlimages/curl:7.87.0"
|
|
args = [
|
|
"--unix-socket", "${NOMAD_SECRETS_DIR}/api.sock",
|
|
"-H", "Authorization: Bearer ${NOMAD_TOKEN}",
|
|
"-v",
|
|
"localhost/v1/agent/health",
|
|
]
|
|
}
|
|
|
|
identity {
|
|
env = true
|
|
}
|
|
|
|
resources {
|
|
cpu = 16
|
|
memory = 32
|
|
disk = 64
|
|
}
|
|
}
|
|
|
|
# exec-wid task should succeed due to using workload identity
|
|
task "exec-wid" {
|
|
driver = "exec"
|
|
|
|
config {
|
|
command = "curl"
|
|
args = [
|
|
"-H", "Authorization: Bearer ${NOMAD_TOKEN}",
|
|
"--unix-socket", "${NOMAD_SECRETS_DIR}/api.sock",
|
|
"-v",
|
|
"localhost/v1/agent/health",
|
|
]
|
|
}
|
|
|
|
identity {
|
|
env = true
|
|
}
|
|
|
|
resources {
|
|
cpu = 16
|
|
memory = 32
|
|
disk = 64
|
|
}
|
|
}
|
|
}
|
|
}
|