Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] add support for Consul ACLs #13

Open
maxadamo opened this issue Jun 16, 2023 · 2 comments
Open

[FEATURE] add support for Consul ACLs #13

maxadamo opened this issue Jun 16, 2023 · 2 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@maxadamo
Copy link

Is your feature request related to a problem? Please describe.

Cilium-agent and Netreap are erroring because I have ACLs on Consul

I have been able to sort the issue on the cilium-agent, by adding the environment variable in the docker startup command, as following:

ExecStart=/usr/bin/docker run --rm --name %n \
  -v /var/run/cilium:/var/run/cilium \
  -v /sys/fs/bpf:/sys/fs/bpf \
  --env CONSUL_HTTP_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
  --net=host \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
  ...

Unfortunately the same approach didn't work with Netreap.
for instance in the Task configuration I added the variables:

    task "netreap" {
      driver = "docker"

      env {
        NETREAP_CILIUM_CIDR = "172.16.0.0/16"
        NETREAP_DEBUG = "true"
        CONSUL_HTTP_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        CONSUL_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      }

      config {
        image        = "ghcr.io/cosmonic/netreap:0.1.0"
        network_mode = "host"

        volumes = [
          "/var/run/cilium:/var/run/cilium"
        ]
      }
    }

but I keep getting this error (see below: 403 denied):

2023-06-16T13:03:40.395Z	DEBUG	netreap/main.go:124	Starting node reaper
2023-06-16T13:03:40.395Z	DEBUG	reapers/nodes.go:107	Beginning reconciliation
2023-06-16T13:03:40.395Z	DEBUG	reapers/nodes.go:108	Getting nomad node list
2023-06-16T13:03:40.402Z	FATAL	netreap/main.go:94	unable to perform initial reconciliation: unable to list nodes: Unexpected response code: 403 (Permission denied)
main.main
	/netreap/main.go:94
runtime.main

Describe the solution you'd like

the variable CONSUL_HTTP_TOKEN is ineffective (I also tried to add CONSUL_TOKEN as well).
In the main.go, between the lines 40 and 74, you are not trying to access the variable for the token.
Is this the cause of my issue?
Would it be possible to add the token there?
@maxadamo maxadamo added enhancement New feature or request help wanted Extra attention is needed labels Jun 16, 2023
@protochron
Copy link
Contributor

It looks like this is actually an issue with the task not having a NOMAD_TOKEN capable of listing nodes: unable to list nodes: Unexpected response code: 403 (Permission denied).

If you reconfigure your task to define a NOMAD_TOKEN variable in addition to a Consul ACL token then it should work

@maxadamo
Copy link
Author

that was caused by missing token for Nomad, since we have ACLs in Nomad as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@protochron @maxadamo