bfcbc00f4e
In order to support implicit ACL policies for tasks to get their own secrets, each task would need to have its own ACL token. This would add extra raft overhead as well as new garbage collection jobs for cleaning up task-specific ACL tokens. Instead, Nomad will create a workload Identity Claim for each task. An Identity Claim is a JSON Web Token (JWT) signed by the server’s private key and attached to an Allocation at the time a plan is applied. The encoded JWT can be submitted as the X-Nomad-Token header to replace ACL token secret IDs for the RPCs that support identity claims. Whenever a key is is added to a server’s keyring, it will use the key as the seed for a Ed25519 public-private private keypair. That keypair will be used for signing the JWT and for verifying the JWT. This implementation is a ruthlessly minimal approach to support the secure variables feature. When a JWT is verified, the allocation ID will be checked against the Nomad state store, and non-existent or terminal allocation IDs will cause the validation to be rejected. This is sufficient to support the secure variables feature at launch without requiring implementation of a background process to renew soon-to-expire tokens.
51 lines
1.1 KiB
Go
51 lines
1.1 KiB
Go
package taskrunner
|
|
|
|
import (
|
|
"context"
|
|
"sync"
|
|
|
|
log "github.com/hashicorp/go-hclog"
|
|
|
|
"github.com/hashicorp/nomad/client/allocrunner/interfaces"
|
|
)
|
|
|
|
// identityHook sets the task runner's Nomad workload identity token
|
|
// based on the signed identity stored on the Allocation
|
|
type identityHook struct {
|
|
tr *TaskRunner
|
|
logger log.Logger
|
|
taskName string
|
|
lock sync.Mutex
|
|
}
|
|
|
|
func newIdentityHook(tr *TaskRunner, logger log.Logger) *identityHook {
|
|
h := &identityHook{
|
|
tr: tr,
|
|
taskName: tr.taskName,
|
|
}
|
|
h.logger = logger.Named(h.Name())
|
|
return h
|
|
}
|
|
|
|
func (*identityHook) Name() string {
|
|
return "identity"
|
|
}
|
|
|
|
func (h *identityHook) Prestart(ctx context.Context, req *interfaces.TaskPrestartRequest, resp *interfaces.TaskPrestartResponse) error {
|
|
h.lock.Lock()
|
|
defer h.lock.Unlock()
|
|
|
|
token := h.tr.alloc.SignedIdentities[h.taskName]
|
|
h.tr.setNomadToken(token)
|
|
return nil
|
|
}
|
|
|
|
func (h *identityHook) Update(_ context.Context, req *interfaces.TaskUpdateRequest, _ *interfaces.TaskUpdateResponse) error {
|
|
h.lock.Lock()
|
|
defer h.lock.Unlock()
|
|
|
|
token := h.tr.alloc.SignedIdentities[h.taskName]
|
|
h.tr.setNomadToken(token)
|
|
return nil
|
|
}
|