This benchmark will test the dynamic generation of Consul credentials.
version(string: "1.14.0")- Specifies the version of Consul. This is used to determine the correct API calls to make.
address(string: <required>)- Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500".scheme(string: "http")- Specifies the URL scheme to use.token(string: "")- Specifies the Consul ACL token to use. This must be a management type token. If this is not provided, Vault will try to bootstrap the ACL system of the Consul cluster automatically. This can also be provided via theVAULT_BENCHMARK_CONSUL_TOKENenvironment variable.ca_cert(string: "")- CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.client_cert(string: "")- Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key.client_key(string: "")- Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.
name(string: "benchmark-role")– Specifies the name of an existing role against which to create this Consul credential. This is part of the request URL.token_typeDEPRECATED (1.11)(string: "client")- Specifies the type of token to create when using this role. Valid values are"client"or"management". If a"management"token, thepolicyparameter is not required. Defaults to"client".policyDEPRECATED (1.11)(string: "")– Specifies the base64-encoded ACL policy. This is required unless thetoken_typeis"management".policiesDEPRECATED (1.11)(list: <policy or policies>)- Same asconsul_policies. Deprecated in favor of usingconsul_policies.consul_policies(list: <policy or policies>)– The list of Consul policies to assign to the generated token. This field is required if using using Consul 1.4.local(bool: false)- Indicates that the token should not be replicated globally and instead be local to the current datacenter. Only available in Consul 1.4 and greater.ttl(duration: "")– Specifies the TTL for this role. If not provided, the default Vault TTL is used. Uses duration format strings.max_ttl(duration: "")– Specifies the max TTL for this role. If not provided, the default Vault Max TTL is used. Uses duration format strings.
service_identities(list: <service identity or identities>)- The list of service identities to assign to the generated token. This may be a comma-separated list to attach multiple service identities to a token.consul_roles(list: <role or roles>)– The list of Consul roles to attach to the token generated by Vault.
consul_namespace(string: "")- Specifies the Consul namespace in which the token is generated. The namespace must exist, and the Consul policies or roles assigned to the Vault role must also exist inside the given Consul namespace. If not provided, the namespacedefaultis used.
node_identities(list: <node identity or identities>)- The list of node identities to assign to the generated token. This may be a comma-separated list to attach multiple node identities to a token.
partition(string: "")- Specifies the Consul admin partition in which the token is generated. The partition must exist, and the Consul policies or roles assigned to the Vault role must also exist inside the given partition. If not provided, the partitiondefaultis used.
test "consul_secret" "consul_test_1" {
weight = 100
config {
version = "1.8.0"
consul_config {
address = "127.0.0.1:8500"
}
role_config {
node_identities = [
"client-1:dc1",
"client-2:dc1"
]
}
}
}