privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

WIP: Consul ACLs #117

Draft
max wants to merge 8 commits from pr-consul-acl into master
pull from: pr-consul-acl
merge into: privatevoid.net:master
Conversation 0 Commits 8 Files changed 7 +111 -11
max commented 2024-08-23 00:34:29 +03:00
Owner
Copy link
No description provided.
max added 8 commits 2024-08-23 00:34:30 +03:00
max reviewed 2024-08-23 01:14:16 +03:00
cluster/services/consul/agent.nix Outdated
@ -31,0 +51,4 @@
script = ''
while ! test -e /run/locksmith/consul-systemManagementToken; do
echo Waiting for System Management Token
systemctl start locksmith.service
max commented 2024-08-23 01:11:52 +03:00
Author
Owner
Copy link

Find a way to make Locksmith work better while bootstrapping. Polling like this is pretty fucked up. Maybe there should be a proper "Consul is ready without SMT" level and Locksmith and the Chant Listener should be configured to work with that level.

Find a way to make Locksmith work better while bootstrapping. Polling like this is pretty fucked up. Maybe there should be a proper "Consul is ready without SMT" level and Locksmith and the Chant Listener should be configured to work with that level.
cluster/services/consul/agent.nix Outdated
@ -31,0 +55,4 @@
sleep 5
done
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
consul acl set-agent-token default "$(< /run/locksmith/consul-systemManagementToken)" # TODO: don't leak token on cmdline
max commented 2024-08-23 01:08:44 +03:00
Author
Owner
Copy link

Setting the default token means it's no longer required to present a token when connecting to this agent. Should probably limit this to automatic actions only (dns, replication token types?)

Setting the default token means it's no longer required to present a token when connecting to this agent. Should probably limit this to automatic actions only (`dns`, `replication` token types?)
cluster/services/consul/ready.nix Outdated
@ -52,2 +52,4 @@
};
};
systemd.targets.consul-ready = {
max commented 2024-08-23 01:09:10 +03:00
Author
Owner
Copy link

This entire thing is ugly

This entire thing is ugly
cluster/services/consul/test.nix Outdated
@ -12,3 +8,3 @@
nodes = [ n for n in machines if n != nowhere ]
for machine in nodes:
machine.succeed("systemctl start consul-ready.service")
machine.succeed("systemctl start consul-ready.target")
max commented 2024-08-23 01:09:20 +03:00
Author
Owner
Copy link

ugly

ugly
modules/consul-distributed-services/default.nix Outdated
@ -46,2 +46,2 @@
Requires=consul-ready.service
After=consul-ready.service
Requires=consul-ready.target
After=consul-ready.target
max commented 2024-08-23 01:09:25 +03:00
Author
Owner
Copy link

ugly

ugly
modules/consul-service-registry/default.nix Outdated
@ -12,6 +12,7 @@ let
consulRegisterScript = pkgs.writeShellScript "consul-register" ''
export CONSUL_HTTP_ADDR='${consulHttpAddr}'
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
max commented 2024-08-23 01:14:08 +03:00
Author
Owner
Copy link

This should definitely be statically optional, i.e. can disable ACL support in this module.

This should probably be dynamically optional, i.e. check for the existence of the token file first. This could be useful for registering and/or running distributed Consul services before the ACL bootstrap is complete.

This should definitely be statically optional, i.e. can disable ACL support in this module. This should probably be *dynamically* optional, i.e. check for the existence of the token file first. This could be useful for registering and/or running distributed Consul services before the ACL bootstrap is complete.
modules/consul-service-registry/default.nix Outdated
@ -84,2 +86,2 @@
after = [ "consul-ready.service" ];
requires = [ "consul-ready.service" ];
after = [ "consul-ready.target" ];
requires = [ "consul-ready.target" ];
max commented 2024-08-23 01:09:38 +03:00
Author
Owner
Copy link

ugly

ugly
max force-pushed pr-consul-acl from 28169a8bd7 to ca8d7cbe30 2024-11-10 14:40:35 +02:00 Compare
This pull request is marked as a work in progress.
This branch is out-of-date with the base branch
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin pr-consul-acl:pr-consul-acl
git checkout pr-consul-acl

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout master
git merge --no-ff pr-consul-acl
git checkout pr-consul-acl
git rebase master
git checkout master
git merge --ff-only pr-consul-acl
git checkout pr-consul-acl
git rebase master
git checkout master
git merge --no-ff pr-consul-acl
git checkout master
git merge --squash pr-consul-acl
git checkout master
git merge --ff-only pr-consul-acl
git checkout master
git merge pr-consul-acl
git push origin master
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

   
dependencies

   
documentation

   
duplicate

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
new feature

   
project/hyprspace

   
project/ircbot

   
project/monitoring

   
question

   
security

   
wontfix
No labels
bug
dependencies
documentation
duplicate
enhancement
good first issue
help wanted
invalid
new feature
project/hyprspace
project/ircbot
project/monitoring
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: privatevoid.net/depot#117
No description provided.
Delete branch "pr-consul-acl"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?