feat: allow configuring workload identities for sidecar_task

Author: 3np

api/consul.go

@@ -116,6 +116,7 @@ type SidecarTask struct {
 	ShutdownDelay *time.Duration         `mapstructure:"shutdown_delay" hcl:"shutdown_delay,optional"`
 	KillSignal    string                 `mapstructure:"kill_signal" hcl:"kill_signal,optional"`
 	VolumeMounts  []*VolumeMount         `hcl:"volume_mount,block"`
+	Identities    []*WorkloadIdentity    `hcl:"identity,block"`
 }
 
 func (st *SidecarTask) Canonicalize() {

command/agent/job_endpoint.go

@@ -2117,6 +2117,19 @@ func apiConnectSidecarTaskToStructs(in *api.SidecarTask) *structs.SidecarTask {
 		return nil
 	}
 
+	var identities []*structs.WorkloadIdentity
+
+	if ids := in.Identities; len(ids) > 0 {
+		identities = make([]*structs.WorkloadIdentity, 0, len(ids))
+		for _, id := range ids {
+			if id == nil {
+				continue
+			}
+
+			identities = append(identities, apiWorkloadIdentityToStructs(id))
+		}
+	}
+
 	return &structs.SidecarTask{
 		Name:          in.Name,
 		Driver:        in.Driver,
@@ -2130,6 +2143,7 @@ func apiConnectSidecarTaskToStructs(in *api.SidecarTask) *structs.SidecarTask {
 		KillTimeout:   in.KillTimeout,
 		LogConfig:     apiLogConfigToStructs(in.LogConfig),
 		VolumeMounts:  apiVolumeMountsToStructs(in.VolumeMounts),
+		Identities:    identities,
 	}
 }
 

nomad/structs/diff.go

@@ -1709,6 +1709,16 @@ func sidecarTaskDiff(old, new *SidecarTask, contextual bool) *ObjectDiff {
 		diff.Objects = append(diff.Objects, lDiff)
 	}
 
+	// identities diff
+	if idDiffs := idSliceDiffs(old.Identities, new.Identities, contextual); idDiffs != nil {
+		diff.Objects = append(diff.Objects, idDiffs...)
+	}
+
+	// volume_mount diff
+	if vDiffs := volumeMountsDiffs(old.VolumeMounts, new.VolumeMounts, contextual); vDiffs != nil {
+		diff.Objects = append(diff.Objects, vDiffs...)
+	}
+
 	return diff
 }
 

nomad/structs/services.go

@@ -1433,6 +1433,9 @@ type SidecarTask struct {
 	// VolumeMounts is a list of Volume name <-> mount configurations that will be
 	// attached to this task.
 	VolumeMounts []*VolumeMount
+
+	// Identities is a list of Workload Identies to attach to this task
+	Identities []*WorkloadIdentity
 }
 
 func (t *SidecarTask) Equal(o *SidecarTask) bool {
@@ -1490,6 +1493,11 @@ func (t *SidecarTask) Equal(o *SidecarTask) bool {
 		return false
 	}
 
+	if !slices.EqualFunc(t.Identities, o.Identities,
+		func(tID, oID *WorkloadIdentity) bool { return tID.Equal(oID) }) {
+		return false
+	}
+
 	return true
 }
 
@@ -1521,6 +1529,8 @@ func (t *SidecarTask) Copy() *SidecarTask {
 
 	nt.VolumeMounts = CopySliceVolumeMount(t.VolumeMounts)
 
+	nt.Identities = CopySliceWorkloadIdentity(t.Identities)
+
 	return nt
 }
 
@@ -1597,6 +1607,10 @@ func (t *SidecarTask) MergeIntoTask(task *Task) {
 	if t.VolumeMounts != nil {
 		task.VolumeMounts = t.VolumeMounts
 	}
+
+	if t.Identities != nil {
+		task.Identities = t.Identities
+	}
 }
 
 // ConsulProxy represents a Consul Connect sidecar proxy jobspec block.

nomad/structs/workload_id.go

@@ -573,3 +573,16 @@ func (w *WIHandle) Equal(o WIHandle) bool {
 		w.WorkloadIdentifier == o.WorkloadIdentifier &&
 		w.WorkloadType == o.WorkloadType
 }
+
+func CopySliceWorkloadIdentity(s []*WorkloadIdentity) []*WorkloadIdentity {
+	l := len(s)
+	if l == 0 {
+		return nil
+	}
+
+	c := make([]*WorkloadIdentity, l)
+	for i, v := range s {
+		c[i] = v.Copy()
+	}
+	return c
+}