feat: allow configuring workload identities for sidecar_task

3nprob · 3nprob · commit 1b824d5672e2 · 2025-05-19T22:22:42.000Z
diff --git a/.changelog/25877.txt b/.changelog/25877.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: allow configuring identities for sidecar_task
+```
diff --git a/api/consul.go b/api/consul.go
@@ -116,6 +116,7 @@ type SidecarTask struct {
 	ShutdownDelay *time.Duration         `mapstructure:"shutdown_delay" hcl:"shutdown_delay,optional"`
 	KillSignal    string                 `mapstructure:"kill_signal" hcl:"kill_signal,optional"`
 	VolumeMounts  []*VolumeMount         `hcl:"volume_mount,block"`
+	Identities    []*WorkloadIdentity    `hcl:"identity,block"`
 }
 
 func (st *SidecarTask) Canonicalize() {
diff --git a/command/agent/job_endpoint.go b/command/agent/job_endpoint.go
@@ -2117,6 +2117,19 @@ func apiConnectSidecarTaskToStructs(in *api.SidecarTask) *structs.SidecarTask {
 		return nil
 	}
 
+	var identities []*structs.WorkloadIdentity
+
+	if ids := in.Identities; len(ids) > 0 {
+		identities = make([]*structs.WorkloadIdentity, 0, len(ids))
+		for _, id := range ids {
+			if id == nil {
+				continue
+			}
+
+			identities = append(identities, apiWorkloadIdentityToStructs(id))
+		}
+	}
+
 	return &structs.SidecarTask{
 		Name:          in.Name,
 		Driver:        in.Driver,
@@ -2130,6 +2143,7 @@ func apiConnectSidecarTaskToStructs(in *api.SidecarTask) *structs.SidecarTask {
 		KillTimeout:   in.KillTimeout,
 		LogConfig:     apiLogConfigToStructs(in.LogConfig),
 		VolumeMounts:  apiVolumeMountsToStructs(in.VolumeMounts),
+		Identities:    identities,
 	}
 }
 
diff --git a/nomad/structs/diff.go b/nomad/structs/diff.go
@@ -1703,6 +1703,11 @@ func sidecarTaskDiff(old, new *SidecarTask, contextual bool) *ObjectDiff {
 		diff.Objects = append(diff.Objects, rDiff)
 	}
 
+	// identities diff
+	if idDiffs := idSliceDiffs(old.Identities, new.Identities, contextual); idDiffs != nil {
+		diff.Objects = append(diff.Objects, idDiffs...)
+	}
+
 	// LogConfig diff
 	lDiff := primitiveObjectDiff(old.LogConfig, new.LogConfig, nil, "LogConfig", contextual)
 	if lDiff != nil {
diff --git a/nomad/structs/services.go b/nomad/structs/services.go
@@ -1433,6 +1433,9 @@ type SidecarTask struct {
 	// VolumeMounts is a list of Volume name <-> mount configurations that will be
 	// attached to this task.
 	VolumeMounts []*VolumeMount
+
+	// Identities is a list of Workload Identies to attach to this task
+	Identities []*WorkloadIdentity
 }
 
 func (t *SidecarTask) Equal(o *SidecarTask) bool {
@@ -1490,6 +1493,11 @@ func (t *SidecarTask) Equal(o *SidecarTask) bool {
 		return false
 	}
 
+	if !slices.EqualFunc(t.Identities, o.Identities,
+		func(tID, oID *WorkloadIdentity) bool { return tID.Equal(oID) }) {
+		return false
+	}
+
 	return true
 }
 
@@ -1521,6 +1529,8 @@ func (t *SidecarTask) Copy() *SidecarTask {
 
 	nt.VolumeMounts = CopySliceVolumeMount(t.VolumeMounts)
 
+	nt.Identities = CopySliceWorkloadIdentity(t.Identities)
+
 	return nt
 }
 
@@ -1597,6 +1607,10 @@ func (t *SidecarTask) MergeIntoTask(task *Task) {
 	if t.VolumeMounts != nil {
 		task.VolumeMounts = t.VolumeMounts
 	}
+
+	if t.Identities != nil {
+		task.Identities = t.Identities
+	}
 }
 
 // ConsulProxy represents a Consul Connect sidecar proxy jobspec block.
diff --git a/nomad/structs/workload_id.go b/nomad/structs/workload_id.go
@@ -573,3 +573,16 @@ func (w *WIHandle) Equal(o WIHandle) bool {
 		w.WorkloadIdentifier == o.WorkloadIdentifier &&
 		w.WorkloadType == o.WorkloadType
 }
+
+func CopySliceWorkloadIdentity(s []*WorkloadIdentity) []*WorkloadIdentity {
+	l := len(s)
+	if l == 0 {
+		return nil
+	}
+
+	c := make([]*WorkloadIdentity, l)
+	for i, v := range s {
+		c[i] = v.Copy()
+	}
+	return c
+}
diff --git a/website/content/docs/job-specification/identity.mdx b/website/content/docs/job-specification/identity.mdx
@@ -12,6 +12,7 @@ description: |-
     ['job', 'group', 'service', 'identity'],
     ['job', 'group', 'task', 'identity'],
     ['job', 'group', 'task', 'service', 'identity'],
+    ['job', 'group', 'service', 'connect', 'sidecar_task', 'identity'],
   ]}
 />
 
diff --git a/website/content/docs/job-specification/sidecar_task.mdx b/website/content/docs/job-specification/sidecar_task.mdx
@@ -156,6 +156,9 @@ meta.connect.sidecar_image = custom/envoy-${NOMAD_envoy_version}:latest
 - `volume_mount` <code>([VolumeMount][]: nil)</code> - Specifies where a group
   volume should be mounted.
 
+- `identity` <code>([Identity][]: nil)</code> - Expose [Workload Identity][] to
+  the task.
+
 ## Examples
 
 The following example configures resources for the sidecar task and other configuration.
@@ -181,6 +184,7 @@ The following example configures resources for the sidecar task and other config
 [group]: /nomad/docs/job-specification/group 'Nomad group Job Specification'
 [interpolation]: /nomad/docs/runtime/interpolation 'Nomad interpolation'
 [job]: /nomad/docs/job-specification/job 'Nomad job Job Specification'
+[Identity]: /nomad/docs/job-specification/identity 'Nomad identity Job Specification'
 [logs]: /nomad/docs/job-specification/logs 'Nomad logs Job Specification'
 [resources]: /nomad/docs/job-specification/resources 'Nomad resources Job Specification'
 [sidecar_service]: /nomad/docs/job-specification/sidecar_service 'Nomad sidecar service Specification'

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:improvement
	`2`	`+connect: allow configuring identities for sidecar_task`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,7 @@ type SidecarTask struct {`
`116`	`116`	ShutdownDelay *time.Duration `mapstructure:"shutdown_delay" hcl:"shutdown_delay,optional"`
`117`	`117`	KillSignal string `mapstructure:"kill_signal" hcl:"kill_signal,optional"`
`118`	`118`	VolumeMounts []*VolumeMount `hcl:"volume_mount,block"`
	`119`	+ Identities []*WorkloadIdentity `hcl:"identity,block"`
`119`	`120`	`}`
`120`	`121`
`121`	`122`	`func (st *SidecarTask) Canonicalize() {`
Original file line number	Diff line number	Diff line change
`@@ -1433,6 +1433,9 @@ type SidecarTask struct {`
`1433`	`1433`	`// VolumeMounts is a list of Volume name <-> mount configurations that will be`
`1434`	`1434`	`// attached to this task.`
`1435`	`1435`	`VolumeMounts []*VolumeMount`
	`1436`	`+`
	`1437`	`+ // Identities is a list of Workload Identies to attach to this task`
	`1438`	`+ Identities []*WorkloadIdentity`
`1436`	`1439`	`}`
`1437`	`1440`
`1438`	`1441`	`func (t SidecarTask) Equal(o SidecarTask) bool {`
`@@ -1490,6 +1493,11 @@ func (t SidecarTask) Equal(o SidecarTask) bool {`
`1490`	`1493`	`return false`
`1491`	`1494`	`}`
`1492`	`1495`
	`1496`	`+ if !slices.EqualFunc(t.Identities, o.Identities,`
	`1497`	`+ func(tID, oID *WorkloadIdentity) bool { return tID.Equal(oID) }) {`
	`1498`	`+ return false`
	`1499`	`+ }`
	`1500`	`+`
`1493`	`1501`	`return true`
`1494`	`1502`	`}`
`1495`	`1503`
`@@ -1521,6 +1529,8 @@ func (t SidecarTask) Copy() SidecarTask {`
`1521`	`1529`
`1522`	`1530`	`nt.VolumeMounts = CopySliceVolumeMount(t.VolumeMounts)`
`1523`	`1531`
	`1532`	`+ nt.Identities = CopySliceWorkloadIdentity(t.Identities)`
	`1533`	`+`
`1524`	`1534`	`return nt`
`1525`	`1535`	`}`
`1526`	`1536`
`@@ -1597,6 +1607,10 @@ func (t SidecarTask) MergeIntoTask(task Task) {`
`1597`	`1607`	`if t.VolumeMounts != nil {`
`1598`	`1608`	`task.VolumeMounts = t.VolumeMounts`
`1599`	`1609`	`}`
	`1610`	`+`
	`1611`	`+ if t.Identities != nil {`
	`1612`	`+ task.Identities = t.Identities`
	`1613`	`+ }`
`1600`	`1614`	`}`
`1601`	`1615`
`1602`	`1616`	`// ConsulProxy represents a Consul Connect sidecar proxy jobspec block.`