mirror of https://github.com/hashicorp/consul
NET-6251 API gateway templated policy (#19728)
parent
78f918a103
commit
c1dbf00a85
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
acl: add api-gateway templated policy
|
||||||
|
```
|
|
@ -1407,7 +1407,7 @@ func TestACL_HTTP(t *testing.T) {
|
||||||
|
|
||||||
var list map[string]api.ACLTemplatedPolicyResponse
|
var list map[string]api.ACLTemplatedPolicyResponse
|
||||||
require.NoError(t, json.NewDecoder(resp.Body).Decode(&list))
|
require.NoError(t, json.NewDecoder(resp.Body).Decode(&list))
|
||||||
require.Len(t, list, 5)
|
require.Len(t, list, 6)
|
||||||
|
|
||||||
require.Equal(t, api.ACLTemplatedPolicyResponse{
|
require.Equal(t, api.ACLTemplatedPolicyResponse{
|
||||||
TemplateName: api.ACLTemplatedPolicyServiceName,
|
TemplateName: api.ACLTemplatedPolicyServiceName,
|
||||||
|
|
|
@ -29,6 +29,9 @@ var ACLTemplatedPolicyServiceSchema string
|
||||||
//go:embed acltemplatedpolicy/schemas/workload-identity.json
|
//go:embed acltemplatedpolicy/schemas/workload-identity.json
|
||||||
var ACLTemplatedPolicyWorkloadIdentitySchema string
|
var ACLTemplatedPolicyWorkloadIdentitySchema string
|
||||||
|
|
||||||
|
//go:embed acltemplatedpolicy/schemas/api-gateway.json
|
||||||
|
var ACLTemplatedPolicyAPIGatewaySchema string
|
||||||
|
|
||||||
type ACLTemplatedPolicies []*ACLTemplatedPolicy
|
type ACLTemplatedPolicies []*ACLTemplatedPolicy
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -37,6 +40,7 @@ const (
|
||||||
ACLTemplatedPolicyDNSID = "00000000-0000-0000-0000-000000000005"
|
ACLTemplatedPolicyDNSID = "00000000-0000-0000-0000-000000000005"
|
||||||
ACLTemplatedPolicyNomadServerID = "00000000-0000-0000-0000-000000000006"
|
ACLTemplatedPolicyNomadServerID = "00000000-0000-0000-0000-000000000006"
|
||||||
ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007"
|
ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007"
|
||||||
|
ACLTemplatedPolicyAPIGatewayID = "00000000-0000-0000-0000-000000000008"
|
||||||
|
|
||||||
ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema
|
ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema
|
||||||
)
|
)
|
||||||
|
@ -84,6 +88,12 @@ var (
|
||||||
Schema: ACLTemplatedPolicyWorkloadIdentitySchema,
|
Schema: ACLTemplatedPolicyWorkloadIdentitySchema,
|
||||||
Template: ACLTemplatedPolicyWorkloadIdentity,
|
Template: ACLTemplatedPolicyWorkloadIdentity,
|
||||||
},
|
},
|
||||||
|
api.ACLTemplatedPolicyAPIGatewayName: {
|
||||||
|
TemplateID: ACLTemplatedPolicyAPIGatewayID,
|
||||||
|
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
|
||||||
|
Schema: ACLTemplatedPolicyAPIGatewaySchema,
|
||||||
|
Template: ACLTemplatedPolicyAPIGateway,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,9 @@ var ACLTemplatedPolicyNomadServer string
|
||||||
//go:embed acltemplatedpolicy/policies/ce/workload-identity.hcl
|
//go:embed acltemplatedpolicy/policies/ce/workload-identity.hcl
|
||||||
var ACLTemplatedPolicyWorkloadIdentity string
|
var ACLTemplatedPolicyWorkloadIdentity string
|
||||||
|
|
||||||
|
//go:embed acltemplatedpolicy/policies/ce/api-gateway.hcl
|
||||||
|
var ACLTemplatedPolicyAPIGateway string
|
||||||
|
|
||||||
func (t *ACLToken) TemplatedPolicyList() []*ACLTemplatedPolicy {
|
func (t *ACLToken) TemplatedPolicyList() []*ACLTemplatedPolicy {
|
||||||
if len(t.TemplatedPolicies) == 0 {
|
if len(t.TemplatedPolicies) == 0 {
|
||||||
return nil
|
return nil
|
||||||
|
|
|
@ -95,6 +95,28 @@ query_prefix "" {
|
||||||
Description: "synthetic policy generated from templated policy: builtin/workload-identity",
|
Description: "synthetic policy generated from templated policy: builtin/workload-identity",
|
||||||
Rules: `identity "api" {
|
Rules: `identity "api" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
|
}`,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"api-gateway-template": {
|
||||||
|
templatedPolicy: &ACLTemplatedPolicy{
|
||||||
|
TemplateID: ACLTemplatedPolicyAPIGatewayID,
|
||||||
|
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
|
||||||
|
TemplateVariables: &ACLTemplatedPolicyVariables{
|
||||||
|
Name: "api-gateway",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectedPolicy: &ACLPolicy{
|
||||||
|
Description: "synthetic policy generated from templated policy: builtin/api-gateway",
|
||||||
|
Rules: `mesh = "read"
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
service "api-gateway" {
|
||||||
|
policy = "write"
|
||||||
}`,
|
}`,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
mesh = "read"
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
service "{{.Name}}" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
|
@ -0,0 +1,13 @@
|
||||||
|
{
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"name": { "type": "string", "$ref": "#/definitions/min-length-one" }
|
||||||
|
},
|
||||||
|
"required": ["name"],
|
||||||
|
"definitions": {
|
||||||
|
"min-length-one": {
|
||||||
|
"type": "string",
|
||||||
|
"minLength": 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -26,6 +26,7 @@ const (
|
||||||
ACLTemplatedPolicyDNSName = "builtin/dns"
|
ACLTemplatedPolicyDNSName = "builtin/dns"
|
||||||
ACLTemplatedPolicyNomadServerName = "builtin/nomad-server"
|
ACLTemplatedPolicyNomadServerName = "builtin/nomad-server"
|
||||||
ACLTemplatedPolicyWorkloadIdentityName = "builtin/workload-identity"
|
ACLTemplatedPolicyWorkloadIdentityName = "builtin/workload-identity"
|
||||||
|
ACLTemplatedPolicyAPIGatewayName = "builtin/api-gateway"
|
||||||
)
|
)
|
||||||
|
|
||||||
type ACLLink struct {
|
type ACLLink struct {
|
||||||
|
|
|
@ -69,13 +69,13 @@ func (f *prettyFormatter) FormatTemplatedPolicy(templatedPolicy api.ACLTemplated
|
||||||
buffer.WriteString("Input variables:")
|
buffer.WriteString("Input variables:")
|
||||||
switch templatedPolicy.TemplateName {
|
switch templatedPolicy.TemplateName {
|
||||||
case api.ACLTemplatedPolicyServiceName:
|
case api.ACLTemplatedPolicyServiceName:
|
||||||
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - The name of the service.\n", WhitespaceIndent))
|
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The name of the service", "api")
|
||||||
buffer.WriteString("Example usage:\n")
|
|
||||||
buffer.WriteString(WhitespaceIndent + "consul acl token create -templated-policy builtin/service -var name:api\n")
|
|
||||||
case api.ACLTemplatedPolicyNodeName:
|
case api.ACLTemplatedPolicyNodeName:
|
||||||
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - The node name.\n", WhitespaceIndent))
|
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The node name", "node-1")
|
||||||
buffer.WriteString("Example usage:\n")
|
case api.ACLTemplatedPolicyWorkloadIdentityName:
|
||||||
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy builtin/node -var name:node-1\n", WhitespaceIndent))
|
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The workload name", "api")
|
||||||
|
case api.ACLTemplatedPolicyAPIGatewayName:
|
||||||
|
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The api gateway service name", "api-gateway")
|
||||||
case api.ACLTemplatedPolicyDNSName, api.ACLTemplatedPolicyNomadServerName:
|
case api.ACLTemplatedPolicyDNSName, api.ACLTemplatedPolicyNomadServerName:
|
||||||
noRequiredVariablesOutput(&buffer, templatedPolicy.TemplateName)
|
noRequiredVariablesOutput(&buffer, templatedPolicy.TemplateName)
|
||||||
default:
|
default:
|
||||||
|
@ -98,6 +98,12 @@ func noRequiredVariablesOutput(buffer *bytes.Buffer, templateName string) {
|
||||||
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy %s\n", WhitespaceIndent, templateName))
|
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy %s\n", WhitespaceIndent, templateName))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func nameRequiredVariableOutput(buffer *bytes.Buffer, templateName, description, exampleName string) {
|
||||||
|
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - %s.\n", WhitespaceIndent, description))
|
||||||
|
buffer.WriteString("Example usage:\n")
|
||||||
|
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy %s -var name:%s\n", WhitespaceIndent, templateName, exampleName))
|
||||||
|
}
|
||||||
|
|
||||||
func (f *prettyFormatter) FormatTemplatedPolicyList(policies map[string]api.ACLTemplatedPolicyResponse) (string, error) {
|
func (f *prettyFormatter) FormatTemplatedPolicyList(policies map[string]api.ACLTemplatedPolicyResponse) (string, error) {
|
||||||
var buffer bytes.Buffer
|
var buffer bytes.Buffer
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue