Skip to content

Instantly share code, notes, and snippets.

@TJM
Last active January 17, 2022 12:42
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save TJM/d2e05a8eb99e897e8a9e043dcb5bfb3f to your computer and use it in GitHub Desktop.
Save TJM/d2e05a8eb99e897e8a9e043dcb5bfb3f to your computer and use it in GitHub Desktop.
Consul OIDC Issue
  • Download Enterprise Consul: https://releases.hashicorp.com/consul/ (we have tried 1.9.6 - 1.10.1) (make sure to get the +ent version) for your specific OS. We are testing on "darwin" (OSX) but the production environment will be linux.
  • Unzip into a "consul" working directory locally
  • Create a license.txt file with the consul enterprise license.
  • Create an empty data directory
  • Create a config.d directory with a single file (acl.hcl) with the following contents:
acl = {
  enabled = true
  default_policy = "deny"
  enable_token_persistence = true
}
  • BOOTSTRAP consul with the following command (adjust as necessary, but it should work)
export CONSUL_LICENSE_PATH=./license.txt
./consul agent -server -ui \
  -bootstrap \
  -node localhost \
  -bind=127.0.0.1 \
  -data-dir=./data \
  -config-dir=./config.d
  • Bootstrap ACL: ./consul acl bootstrap (you may want to "save" this output)
  • Set environment variable with the secretID from the above output (example: export CONSUL_HTTP_TOKEN=b239d966-4f40-146c-1b13-3c60ec477d7b
  • Create an agent Policy in consul: ./consul acl policy create -name node_localhost -rules 'node "localhost" { policy = "write" } service_prefix "" { policy = "read" } '
  • Obtain agent token: ./consul acl token create -description "localhost agent token" -policy-name node_localhost
  • Assign the agent token to the agent: ./consul acl set-agent-token agent (SecretId from above command)
  • Optional: Note the "Coordinate update blocked" error messages should stop, and verify consul members looks somewhat like:
[tmcneely@local NEW]$ ./consul members
Node       Address         Status  Type    Build       Protocol  DC   Segment
localhost  127.0.0.1:8301  alive   server  1.10.0+ent  2         dc1  <all>

(start of actual OIDC steps)

  • Create a read-only policy to consul: ./consul acl policy create -name read-only -rules 'service_prefix "" { policy="read" } node_prefix "" { policy="read" }'
  • Create a default-user role: ./consul acl role create -name default-user -policy-name read-only
  • Create OIDC Config file (easier than jamming it on the command line IMO), make sure to update the BoundAudiences, OIDCClientID and OIDCClientSecret to match the Google Cloud Console settings:
{
  "VerboseOIDCLogging": true,
  "OIDCScopes": [
    "profile",
    "email"
  ],
  "AllowedRedirectURIs": [
    "http://localhost:8550/oidc/callback",
    "http://localhost:8500/ui/oidc/callback"
  ],
  "BoundAudiences": [
    "4856(CENSORED)to8bvq0iul.apps.googleusercontent.com"
  ],
  "ClaimMappings": {
    "email": "email",
    "name": "name"
  },

  "OIDCClientID": "4856(CENSORED)to8bvq0iul.apps.googleusercontent.com",
  "OIDCClientSecret": "6J79(CENSORED)Stq",
  "OIDCDiscoveryURL": "https://accounts.google.com"
}
  • Add OIDC config to consul: ./consul acl auth-method create -name google -type oidc -max-token-ttl 15m -config @google.json
  • Create role binding: ./consul acl binding-rule create -method=google -bind-type=role -bind-name=default-user

TEST: http://localhost:8500/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment