Support the new configuration format in Consul 1.4.0

Question

Support the new configuration format in Consul 1.4.0

Lasering opened this issue 6 years ago · comments

https://www.consul.io/docs/agent/options.html#configuration-key-reference

Notably acl configurations no longer use smurf notation and are now inside their own object:

acl {
  down_policy = "deny"
  tokens {
    master = "a master token"
  }
}

acl_datacenter is now primary_datacenter

ranschn · Answer 1 · Sun Dec 30 2018 21:42:32 GMT+0800 (China Standard Time)

Any estimations when this will be implemented?

Simão Martins · Answer 2 · Tue Jan 22 2019 00:05:41 GMT+0800 (China Standard Time)

From what I can see the only changes to the configuration are the ones I mentioned. I just didn't list all the acl options.

Simão Martins · Answer 3 · Tue Apr 09 2019 22:00:14 GMT+0800 (China Standard Time)

Will a PR help?

Anthony Scalisi · Answer 4 · Fri Apr 26 2019 08:56:11 GMT+0800 (China Standard Time)

I'll reiterate what I've said in the past, we should simply allow a free form JSON resource for the Consul configs.

You can already do that without waiting for the cookbook to be updated:

file ::File.join(node['consul']['service']['config_dir'], 'acl.json') do
  content(lazy {JSON.pretty_generate({'acl' => node[cookbook_name]['acl']['config']}, quirks_mode: true)})
  owner node['consul']['service_user'] if "grep #{node['consul']['service_user']} /etc/passwd"
  group node['consul']['service_group'] if "grep #{node['consul']['service_group']} /etc/group"
  action node[cookbook_name]['acl']['enabled'] ? :create : :delete
  notifies :reload, "consul_service[#{node['consul']['service_name']}]", :delayed
end

Dan Webb · Answer 5 · Fri May 10 2019 04:46:30 GMT+0800 (China Standard Time)

Closing as fixed. If this isn't the case please feel free to reopen and discuss more!

Simão Martins · Answer 6 · Tue Jul 02 2019 02:18:31 GMT+0800 (China Standard Time)

@damacus I can't reopen. Although I can use the above code to fix it, I shouldn't have to:
The idea of having a cookbook/recipe is to abstract the way a certain program is installed/managed. With the above approach I would have to include that snipped in all the services which will install the consul agent.

github-actions · Answer 7 · Wed Sep 30 2020 08:26:54 GMT+0800 (China Standard Time)

Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.

Simão Martins · Answer 8 · Wed Sep 30 2020 19:22:45 GMT+0800 (China Standard Time)

I can make a PR it that helps

Sergey Zh · Answer 9 · Sun Jan 03 2021 03:13:26 GMT+0800 (China Standard Time)

Hello All,
As I use Chef with Consul cookbook and didn't find any soft that can be capable to set Consul's new non-legacy ACL to some state, I wrote console app that does that - https://gitlab.com/zhemer/consul_acl
Now recipe works fine with this helper)

$ ./consul_acl -f consul_acl.json -a vm-centos -t $t
Removed policy "policy-octopus"
Removed policy "policy-vault"
Created policy "pol-nginx"
Created policy "pol-vault"
Created policy "pol-octopus"
Created policy "pol-kube"
Updated role "role-octopus": Policies: 'policy-octopus' => 'pol-octopus'
Updated role "role1": Policies: 'policy-octopus,policy-vault' => 'pol-octopus,pol-vault'
Created role "role-nginx"
Removed token "505b8379-bc33-402c-8d0d-e026ac206da9"
Removed token "fbb42a97-42eb-44f0-b2de-0e3126c63cce"
Removed token "629e6ca8-971c-470b-badd-80babdd1a7df"
Created token {"nginx" ["pol-nginx"] [] "70422b37-4526-4513-87c4-04be72540dc0"}
Created token {"kube" ["pol-kube"] ["role1"] "a58ce363-646b-4a6b-bd93-26a038170619"}
Created token {"vault" ["pol-vault"] [] "f6774eb5-17df-45af-818b-4f7742defe69"}