command, docs: create and document consul token configuration for connect acls (gh-6716)

This change provides an initial pass at setting up the configuration necessary to enable use of Connect with Consul ACLs. Operators will be able to pass in a Consul Token through `-consul-token` or `$CONSUL_TOKEN` in the `job run` and `job revert` commands (similar to Vault tokens). These values are not actually used yet in this changeset.

command, docs: create and document consul token configuration for connect acls (gh-6716)
This change provides an initial pass at setting up the configuration necessary to enable use of Connect with Consul ACLs. Operators will be able to pass in a Consul Token through `-consul-token` or `$CONSUL_TOKEN` in the `job run` and `job revert` commands (similar to Vault tokens). These values are not actually used yet in this changeset.
0040c75e · Seth Hoenig · 74e10b10 · 0040c75e · 0040c75e · 0040c75e
Commit 0040c75e authored 5 years ago by Seth Hoenig
Hide whitespace changes
Inline Side-by-side

Showing

with 247 additions and 70 deletions
+247 -70
--- a/api/jobs.go
+++ b/api/jobs.go
@@ -336,14 +336,15 @@ func (j *Jobs) Dispatch(jobID string, meta map[string]string,
 // enforceVersion is set, the job is only reverted if the current version is at
 // the passed version.
 func (j *Jobs) Revert(jobID string, version uint64, enforcePriorVersion *uint64,
-	q *WriteOptions, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) {
+	q *WriteOptions, consulToken, vaultToken string) (*JobRegisterResponse, *WriteMeta, error) {

 	var resp JobRegisterResponse
 	req := &JobRevertRequest{
 		JobID:               jobID,
 		JobVersion:          version,
 		EnforcePriorVersion: enforcePriorVersion,
-		VaultToken:          vaultToken,
+		// ConsulToken:         consulToken, // TODO(shoenig) enable!
+		VaultToken: vaultToken,
 	}
 	wm, err := j.client.write("/v1/job/"+url.PathEscape(jobID)+"/revert", req, &resp, q)
 	if err != nil {
@@ -670,6 +671,7 @@ type Job struct {
 	Reschedule        *ReschedulePolicy
 	Migrate           *MigrateStrategy
 	Meta              map[string]string
+	ConsulToken       *string `mapstructure:"consul_token"`
 	VaultToken        *string `mapstructure:"vault_token"`
 	Status            *string
 	StatusDescription *string
@@ -722,6 +724,9 @@ func (j *Job) Canonicalize() {
 	if j.AllAtOnce == nil {
 		j.AllAtOnce = boolToPtr(false)
 	}
+	if j.ConsulToken == nil {
+		j.ConsulToken = stringToPtr("")
+	}
 	if j.VaultToken == nil {
 		j.VaultToken = stringToPtr("")
 	}
@@ -966,6 +971,12 @@ type JobRevertRequest struct {
 	// version before reverting.
 	EnforcePriorVersion *uint64

+	// ConsulToken is the Consul token that proves the submitter of the job revert
+	// has access to the Service Identity policies associated with the job's
+	// Consul Connect enabled services. This field is only used to transfer the
+	// token and is not stored after the Job revert.
+	ConsulToken string `json:",omitempty"`
+
 	// VaultToken is the Vault token that proves the submitter of the job revert
 	// has access to any Vault policies specified in the targeted job version. This
 	// field is only used to authorize the revert and is not stored after the Job

--- a/api/jobs_test.go
+++ b/api/jobs_test.go
@@ -99,6 +99,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				ParentID:          stringToPtr(""),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Status:            stringToPtr(""),
 				StatusDescription: stringToPtr(""),
@@ -186,6 +187,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				ParentID:          stringToPtr(""),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Status:            stringToPtr(""),
 				StatusDescription: stringToPtr(""),
@@ -256,6 +258,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				ParentID:          stringToPtr("lol"),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Stop:              boolToPtr(false),
 				Stable:            boolToPtr(false),
@@ -416,6 +419,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				Region:            stringToPtr("global"),
 				Type:              stringToPtr("service"),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Stop:              boolToPtr(false),
 				Stable:            boolToPtr(false),
@@ -566,6 +570,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				Type:              stringToPtr("service"),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Stop:              boolToPtr(false),
 				Stable:            boolToPtr(false),
@@ -650,6 +655,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 				ParentID:          stringToPtr("lol"),
 				Priority:          intToPtr(50),
 				AllAtOnce:         boolToPtr(false),
+				ConsulToken:       stringToPtr(""),
 				VaultToken:        stringToPtr(""),
 				Stop:              boolToPtr(false),
 				Stable:            boolToPtr(false),
@@ -846,13 +852,13 @@ func TestJobs_Revert(t *testing.T) {
 	assertWriteMeta(t, wm)

 	// Fail revert at incorrect enforce
-	_, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil, "")
+	_, _, err = jobs.Revert(*job.ID, 0, uint64ToPtr(10), nil, "", "")
 	if err == nil || !strings.Contains(err.Error(), "enforcing version") {
 		t.Fatalf("expected enforcement error: %v", err)
 	}

 	// Works at correct index
-	revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil, "")
+	revertResp, wm, err := jobs.Revert(*job.ID, 0, uint64ToPtr(1), nil, "", "")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}

--- a/command/agent/command.go
+++ b/command/agent/command.go
@@ -155,6 +155,10 @@ func (c *Command) readConfig() *Config {
 		return nil
 	}), "consul-verify-ssl", "")
 	flags.StringVar(&cmdConfig.Consul.Addr, "consul-address", "", "")
+	flags.Var((flaghelper.FuncBoolVar)(func(b bool) error {
+		cmdConfig.Consul.AllowUnauthenticated = &b
+		return nil
+	}), "consul-allow-unauthenticated", "")

 	// Vault options
 	flags.Var((flaghelper.FuncBoolVar)(func(b bool) error {
@@ -560,6 +564,7 @@ func (c *Command) AutocompleteFlags() complete.Flags {
 		"-consul-ssl":                    complete.PredictNothing,
 		"-consul-verify-ssl":             complete.PredictNothing,
 		"-consul-address":                complete.PredictAnything,
+		"-consul-token":                  complete.PredictAnything,
 		"-vault-enabled":                 complete.PredictNothing,
 		"-vault-allow-unauthenticated":   complete.PredictNothing,
 		"-vault-token":                   complete.PredictAnything,

--- a/command/agent/config_parse_test.go
+++ b/command/agent/config_parse_test.go
@@ -151,25 +151,26 @@ var basicConfig = &Config{
 	DisableUpdateCheck:        helper.BoolToPtr(true),
 	DisableAnonymousSignature: true,
 	Consul: &config.ConsulConfig{
-		ServerServiceName:   "nomad",
-		ServerHTTPCheckName: "nomad-server-http-health-check",
-		ServerSerfCheckName: "nomad-server-serf-health-check",
-		ServerRPCCheckName:  "nomad-server-rpc-health-check",
-		ClientServiceName:   "nomad-client",
-		ClientHTTPCheckName: "nomad-client-http-health-check",
-		Addr:                "127.0.0.1:9500",
-		Token:               "token1",
-		Auth:                "username:pass",
-		EnableSSL:           &trueValue,
-		VerifySSL:           &trueValue,
-		CAFile:              "/path/to/ca/file",
-		CertFile:            "/path/to/cert/file",
-		KeyFile:             "/path/to/key/file",
-		ServerAutoJoin:      &trueValue,
-		ClientAutoJoin:      &trueValue,
-		AutoAdvertise:       &trueValue,
-		ChecksUseAdvertise:  &trueValue,
-		Timeout:             5 * time.Second,
+		ServerServiceName:    "nomad",
+		ServerHTTPCheckName:  "nomad-server-http-health-check",
+		ServerSerfCheckName:  "nomad-server-serf-health-check",
+		ServerRPCCheckName:   "nomad-server-rpc-health-check",
+		ClientServiceName:    "nomad-client",
+		ClientHTTPCheckName:  "nomad-client-http-health-check",
+		Addr:                 "127.0.0.1:9500",
+		AllowUnauthenticated: &trueValue,
+		Token:                "token1",
+		Auth:                 "username:pass",
+		EnableSSL:            &trueValue,
+		VerifySSL:            &trueValue,
+		CAFile:               "/path/to/ca/file",
+		CertFile:             "/path/to/cert/file",
+		KeyFile:              "/path/to/key/file",
+		ServerAutoJoin:       &trueValue,
+		ClientAutoJoin:       &trueValue,
+		AutoAdvertise:        &trueValue,
+		ChecksUseAdvertise:   &trueValue,
+		Timeout:              5 * time.Second,
 	},
 	Vault: &config.VaultConfig{
 		Addr:                 "127.0.0.1:9500",

--- a/command/agent/config_test.go
+++ b/command/agent/config_test.go
@@ -159,21 +159,22 @@ func TestConfig_Merge(t *testing.T) {
 			TLSServerName:        "1",
 		},
 		Consul: &config.ConsulConfig{
-			ServerServiceName:  "1",
-			ClientServiceName:  "1",
-			AutoAdvertise:      &falseValue,
-			Addr:               "1",
-			Timeout:            1 * time.Second,
-			Token:              "1",
-			Auth:               "1",
-			EnableSSL:          &falseValue,
-			VerifySSL:          &falseValue,
-			CAFile:             "1",
-			CertFile:           "1",
-			KeyFile:            "1",
-			ServerAutoJoin:     &falseValue,
-			ClientAutoJoin:     &falseValue,
-			ChecksUseAdvertise: &falseValue,
+			ServerServiceName:    "1",
+			ClientServiceName:    "1",
+			AutoAdvertise:        &falseValue,
+			Addr:                 "1",
+			AllowUnauthenticated: &falseValue,
+			Timeout:              1 * time.Second,
+			Token:                "1",
+			Auth:                 "1",
+			EnableSSL:            &falseValue,
+			VerifySSL:            &falseValue,
+			CAFile:               "1",
+			CertFile:             "1",
+			KeyFile:              "1",
+			ServerAutoJoin:       &falseValue,
+			ClientAutoJoin:       &falseValue,
+			ChecksUseAdvertise:   &falseValue,
 		},
 		Autopilot: &config.AutopilotConfig{
 			CleanupDeadServers:      &falseValue,
@@ -333,21 +334,22 @@ func TestConfig_Merge(t *testing.T) {
 			TLSServerName:        "2",
 		},
 		Consul: &config.ConsulConfig{
-			ServerServiceName:  "2",
-			ClientServiceName:  "2",
-			AutoAdvertise:      &trueValue,
-			Addr:               "2",
-			Timeout:            2 * time.Second,
-			Token:              "2",
-			Auth:               "2",
-			EnableSSL:          &trueValue,
-			VerifySSL:          &trueValue,
-			CAFile:             "2",
-			CertFile:           "2",
-			KeyFile:            "2",
-			ServerAutoJoin:     &trueValue,
-			ClientAutoJoin:     &trueValue,
-			ChecksUseAdvertise: &trueValue,
+			ServerServiceName:    "2",
+			ClientServiceName:    "2",
+			AutoAdvertise:        &trueValue,
+			Addr:                 "2",
+			AllowUnauthenticated: &trueValue,
+			Timeout:              2 * time.Second,
+			Token:                "2",
+			Auth:                 "2",
+			EnableSSL:            &trueValue,
+			VerifySSL:            &trueValue,
+			CAFile:               "2",
+			CertFile:             "2",
+			KeyFile:              "2",
+			ServerAutoJoin:       &trueValue,
+			ClientAutoJoin:       &trueValue,
+			ChecksUseAdvertise:   &trueValue,
 		},
 		Sentinel: &config.SentinelConfig{
 			Imports: []*config.SentinelImport{

--- a/command/agent/job_endpoint.go
+++ b/command/agent/job_endpoint.go
@@ -633,6 +633,7 @@ func ApiJobToStructJob(job *api.Job) *structs.Job {
 		Datacenters: job.Datacenters,
 		Payload:     job.Payload,
 		Meta:        job.Meta,
+		ConsulToken: *job.ConsulToken,
 		VaultToken:  *job.VaultToken,
 		Constraints: ApiConstraintsToStructs(job.Constraints),
 		Affinities:  ApiAffinitiesToStructs(job.Affinities),

--- a/command/agent/job_endpoint_test.go
+++ b/command/agent/job_endpoint_test.go
@@ -1714,7 +1714,8 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 				},
 			},
 		},
-		VaultToken:        helper.StringToPtr("token"),
+		ConsulToken:       helper.StringToPtr("abc123"),
+		VaultToken:        helper.StringToPtr("def456"),
 		Status:            helper.StringToPtr("status"),
 		StatusDescription: helper.StringToPtr("status_desc"),
 		Version:           helper.Uint64ToPtr(10),
@@ -2060,7 +2061,8 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 			},
 		},

-		VaultToken: "token",
+		ConsulToken: "abc123",
+		VaultToken:  "def456",
 	}

 	structsJob := ApiJobToStructJob(apiJob)

--- a/command/agent/testdata/basic.hcl
+++ b/command/agent/testdata/basic.hcl
@@ -174,6 +174,7 @@ consul {
  client_service_name    = "nomad-client"
  client_http_check_name = "nomad-client-http-health-check"
  address                = "127.0.0.1:9500"
+  allow_unauthenticated  = true
  token                  = "token1"
  auth                   = "username:pass"
  ssl                    = true

--- a/command/agent/testdata/basic.json
+++ b/command/agent/testdata/basic.json
@@ -111,6 +111,7 @@
  "consul": [
    {
      "address": "127.0.0.1:9500",
+      "allow_unauthenticated": true,
      "auth": "username:pass",
      "auto_advertise": true,
      "ca_file": "/path/to/ca/file",

--- a/command/job_revert.go
+++ b/command/job_revert.go
@@ -31,9 +31,13 @@ Revert Options:
    the evaluation ID will be printed to the screen, which can be used to
    examine the evaluation using the eval-status command.

+  -consul-token
+   The Consul token used to verify that the caller has access to the Service
+   Identity policies associated in the targeted version of the job.
+
  -vault-token 
   The Vault token used to verify that the caller has access to the Vault 
-   policies i the targeted version of the job.
+   policies in the targeted version of the job.

  -verbose
    Display full information.
@@ -72,12 +76,13 @@ func (c *JobRevertCommand) Name() string { return "job revert" }

 func (c *JobRevertCommand) Run(args []string) int {
 	var detach, verbose bool
-	var vaultToken string
+	var consulToken, vaultToken string

 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
 	flags.BoolVar(&detach, "detach", false, "")
 	flags.BoolVar(&verbose, "verbose", false, "")
+	flags.StringVar(&consulToken, "consul-token", "", "")
 	flags.StringVar(&vaultToken, "vault-token", "", "")

 	if err := flags.Parse(args); err != nil {
@@ -105,6 +110,12 @@ func (c *JobRevertCommand) Run(args []string) int {
 		return 1
 	}

+	// Parse the Consul token
+	if consulToken == "" {
+		// Check the environment variable
+		consulToken = os.Getenv("CONSUL_TOKEN")
+	}
+
 	// Parse the Vault token
 	if vaultToken == "" {
 		// Check the environment variable
@@ -138,7 +149,7 @@ func (c *JobRevertCommand) Run(args []string) int {
 	}

 	// Prefix lookup matched a single job
-	resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, vaultToken)
+	resp, _, err := client.Jobs().Revert(jobs[0].ID, revertVersion, nil, nil, consulToken, vaultToken)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error retrieving job versions: %s", err))
 		return 1

--- a/command/job_run.go
+++ b/command/job_run.go
@@ -52,6 +52,10 @@ Alias: nomad run
  If the job has specified the region, the -region flag and NOMAD_REGION
  environment variable are overridden and the job's region is used.

+  The run command will set the consul_token of the job based on the following
+  precedence, going from highest to lowest: the -consul-token flag, the
+  $CONSUL_TOKEN environment variable and finally the value in the job file.
+
  The run command will set the vault_token of the job based on the following
  precedence, going from highest to lowest: the -vault-token flag, the
  $VAULT_TOKEN environment variable and finally the value in the job file.
@@ -82,6 +86,12 @@ Run Options:
  -policy-override
    Sets the flag to force override any soft mandatory Sentinel policies.

+  -consul-token
+    If set, the passed Consul token is stored in the job before sending to the
+    Nomad servers. This allows passing the Consul token without storing it in
+    the job file. This overrides the token found in $CONSUL_TOKEN environment
+    variable and that found in the job.
+
  -vault-token
    If set, the passed Vault token is stored in the job before sending to the
    Nomad servers. This allows passing the Vault token without storing it in
@@ -104,6 +114,7 @@ func (c *JobRunCommand) AutocompleteFlags() complete.Flags {
 			"-check-index":     complete.PredictNothing,
 			"-detach":          complete.PredictNothing,
 			"-verbose":         complete.PredictNothing,
+			"-consul-token":    complete.PredictNothing,
 			"-vault-token":     complete.PredictAnything,
 			"-output":          complete.PredictNothing,
 			"-policy-override": complete.PredictNothing,
@@ -118,7 +129,7 @@ func (c *JobRunCommand) Name() string { return "job run" }

 func (c *JobRunCommand) Run(args []string) int {
 	var detach, verbose, output, override bool
-	var checkIndexStr, vaultToken string
+	var checkIndexStr, consulToken, vaultToken string

 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
@@ -127,6 +138,7 @@ func (c *JobRunCommand) Run(args []string) int {
 	flags.BoolVar(&output, "output", false, "")
 	flags.BoolVar(&override, "policy-override", false, "")
 	flags.StringVar(&checkIndexStr, "check-index", "", "")
+	flags.StringVar(&consulToken, "consul-token", "", "")
 	flags.StringVar(&vaultToken, "vault-token", "", "")

 	if err := flags.Parse(args); err != nil {
@@ -175,6 +187,16 @@ func (c *JobRunCommand) Run(args []string) int {
 	periodic := job.IsPeriodic()
 	paramjob := job.IsParameterized()

+	// Parse the Consul token
+	if consulToken == "" {
+		// Check the environment variable
+		consulToken = os.Getenv("CONSUL_TOKEN")
+	}
+
+	if consulToken != "" {
+		job.ConsulToken = helper.StringToPtr(consulToken)
+	}
+
 	// Parse the Vault token
 	if vaultToken == "" {
 		// Check the environment variable

--- a/jobspec/parse_job.go
+++ b/jobspec/parse_job.go
@@ -79,6 +79,7 @@ func parseJob(result *api.Job, list *ast.ObjectList) error {
 		"update",
 		"vault",
 		"vault_token",
+		"consul_token",
 	}
 	if err := helper.CheckHCLKeys(listVal, valid); err != nil {
 		return multierror.Prefix(err, "job:")

--- a/jobspec/parse_test.go
+++ b/jobspec/parse_test.go
@@ -31,6 +31,7 @@ func TestParse(t *testing.T) {
 				Datacenters: []string{"us2", "eu1"},
 				Region:      helper.StringToPtr("fooregion"),
 				Namespace:   helper.StringToPtr("foonamespace"),
+				ConsulToken: helper.StringToPtr("abc"),
 				VaultToken:  helper.StringToPtr("foo"),

 				Meta: map[string]string{

--- a/jobspec/test-fixtures/bad-ports.hcl
+++ b/jobspec/test-fixtures/bad-ports.hcl
@@ -4,6 +4,7 @@ job "binstore-storagelocker" {
  priority    = 50
  all_at_once = true
  datacenters = ["us2", "eu1"]
+  consul_token = "abc"
  vault_token = "foo"

  meta {

--- a/jobspec/test-fixtures/basic.hcl
+++ b/jobspec/test-fixtures/basic.hcl
@@ -5,6 +5,7 @@ job "binstore-storagelocker" {
  priority    = 52
  all_at_once = true
  datacenters = ["us2", "eu1"]
+  consul_token = "abc"
  vault_token = "foo"

  meta {

--- a/jobspec/test-fixtures/basic_wrong_key.hcl
+++ b/jobspec/test-fixtures/basic_wrong_key.hcl
@@ -4,6 +4,7 @@ job "binstore-storagelocker" {
  priority    = 50
  all_at_once = true
  datacenters = ["us2", "eu1"]
+  consul_token = "abc"
  vault_token = "foo"

  meta {

--- a/jobspec/test-fixtures/incorrect-service-def.hcl
+++ b/jobspec/test-fixtures/incorrect-service-def.hcl
@@ -4,6 +4,7 @@ job "binstore-storagelocker" {
  priority    = 50
  all_at_once = true
  datacenters = ["us2", "eu1"]
+  consul_token = "abc"
  vault_token = "foo"

  meta {

--- a/jobspec/test-fixtures/overlapping-ports.hcl
+++ b/jobspec/test-fixtures/overlapping-ports.hcl
@@ -4,6 +4,7 @@ job "binstore-storagelocker" {
  priority    = 50
  all_at_once = true
  datacenters = ["us2", "eu1"]
+  consul_token = "abc"
  vault_token = "foo"

  meta {

--- a/nomad/structs/config/consul.go
+++ b/nomad/structs/config/consul.go
@@ -72,6 +72,11 @@ type ConsulConfig struct {
 	// the agent's default token
 	Token string `hcl:"token"`

+	// AllowUnauthenticated allows users to submit jobs requiring Consul
+	// Service Identity tokens without providing a Consul token proving they
+	// have access to such policies.
+	AllowUnauthenticated *bool `hcl:"allow_unauthenticated"`
+
 	// Auth is the information to use for http access to Consul agent
 	Auth string `hcl:"auth"`

@@ -115,17 +120,18 @@ type ConsulConfig struct {
 func DefaultConsulConfig() *ConsulConfig {
 	def := consul.DefaultConfig()
 	return &ConsulConfig{
-		ServerServiceName:   "nomad",
-		ServerHTTPCheckName: "Nomad Server HTTP Check",
-		ServerSerfCheckName: "Nomad Server Serf Check",
-		ServerRPCCheckName:  "Nomad Server RPC Check",
-		ClientServiceName:   "nomad-client",
-		ClientHTTPCheckName: "Nomad Client HTTP Check",
-		AutoAdvertise:       helper.BoolToPtr(true),
-		ChecksUseAdvertise:  helper.BoolToPtr(false),
-		ServerAutoJoin:      helper.BoolToPtr(true),
-		ClientAutoJoin:      helper.BoolToPtr(true),
-		Timeout:             5 * time.Second,
+		ServerServiceName:    "nomad",
+		ServerHTTPCheckName:  "Nomad Server HTTP Check",
+		ServerSerfCheckName:  "Nomad Server Serf Check",
+		ServerRPCCheckName:   "Nomad Server RPC Check",
+		ClientServiceName:    "nomad-client",
+		ClientHTTPCheckName:  "Nomad Client HTTP Check",
+		AutoAdvertise:        helper.BoolToPtr(true),
+		ChecksUseAdvertise:   helper.BoolToPtr(false),
+		ServerAutoJoin:       helper.BoolToPtr(true),
+		ClientAutoJoin:       helper.BoolToPtr(true),
+		AllowUnauthenticated: helper.BoolToPtr(true),
+		Timeout:              5 * time.Second,

 		// From Consul api package defaults
 		Addr:      def.Address,
@@ -135,6 +141,12 @@ func DefaultConsulConfig() *ConsulConfig {
 	}
 }

+// AllowsUnauthenticated returns whether the config allows unauthenticated
+// creation of Consul Service Identity tokens for Consul Connect enabled Tasks.
+func (a *ConsulConfig) AllowsUnauthenticated() bool {
+	return a.AllowUnauthenticated != nil && *a.AllowUnauthenticated
+}
+
 // Merge merges two Consul Configurations together.
 func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig {
 	result := a.Copy()
@@ -203,6 +215,9 @@ func (a *ConsulConfig) Merge(b *ConsulConfig) *ConsulConfig {
 	if b.ChecksUseAdvertise != nil {
 		result.ChecksUseAdvertise = helper.BoolToPtr(*b.ChecksUseAdvertise)
 	}
+	if b.AllowUnauthenticated != nil {
+		result.AllowUnauthenticated = helper.BoolToPtr(*b.AllowUnauthenticated)
+	}
 	return result
 }

@@ -289,6 +304,9 @@ func (c *ConsulConfig) Copy() *ConsulConfig {
 	if nc.ClientAutoJoin != nil {
 		nc.ClientAutoJoin = helper.BoolToPtr(*nc.ClientAutoJoin)
 	}
+	if nc.AllowUnauthenticated != nil {
+		nc.AllowUnauthenticated = helper.BoolToPtr(*nc.AllowUnauthenticated)
+	}

 	return nc
 }
--- a/nomad/structs/config/consul_test.go
+++ b/nomad/structs/config/consul_test.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"os/exec"
 	"testing"
+	"time"

 	consulapi "github.com/hashicorp/consul/api"
 	"github.com/stretchr/testify/assert"
@@ -27,6 +28,94 @@ func TestMain(m *testing.M) {
 	os.Exit(0)
 }

+func TestConsulConfig_Merge(t *testing.T) {
+	yes, no := true, false
+
+	c1 := &ConsulConfig{
+		ServerServiceName:    "1",
+		ServerHTTPCheckName:  "1",
+		ServerSerfCheckName:  "1",
+		ServerRPCCheckName:   "1",
+		ClientServiceName:    "1",
+		ClientHTTPCheckName:  "1",
+		Tags:                 []string{"a", "1"},
+		AutoAdvertise:        &no,
+		ChecksUseAdvertise:   &no,
+		Addr:                 "1",
+		GRPCAddr:             "1",
+		Timeout:              time.Duration(1),
+		TimeoutHCL:           "1",
+		Token:                "1",
+		AllowUnauthenticated: &no,
+		Auth:                 "1",
+		EnableSSL:            &no,
+		VerifySSL:            &no,
+		CAFile:               "1",
+		CertFile:             "1",
+		KeyFile:              "1",
+		ServerAutoJoin:       &no,
+		ClientAutoJoin:       &no,
+		ExtraKeysHCL:         []string{"a", "1"},
+	}
+
+	c2 := &ConsulConfig{
+		ServerServiceName:    "2",
+		ServerHTTPCheckName:  "2",
+		ServerSerfCheckName:  "2",
+		ServerRPCCheckName:   "2",
+		ClientServiceName:    "2",
+		ClientHTTPCheckName:  "2",
+		Tags:                 []string{"b", "2"},
+		AutoAdvertise:        &yes,
+		ChecksUseAdvertise:   &yes,
+		Addr:                 "2",
+		GRPCAddr:             "2",
+		Timeout:              time.Duration(2),
+		TimeoutHCL:           "2",
+		Token:                "2",
+		AllowUnauthenticated: &yes,
+		Auth:                 "2",
+		EnableSSL:            &yes,
+		VerifySSL:            &yes,
+		CAFile:               "2",
+		CertFile:             "2",
+		KeyFile:              "2",
+		ServerAutoJoin:       &yes,
+		ClientAutoJoin:       &yes,
+		ExtraKeysHCL:         []string{"b", "2"},
+	}
+
+	exp := &ConsulConfig{
+		ServerServiceName:    "2",
+		ServerHTTPCheckName:  "2",
+		ServerSerfCheckName:  "2",
+		ServerRPCCheckName:   "2",
+		ClientServiceName:    "2",
+		ClientHTTPCheckName:  "2",
+		Tags:                 []string{"a", "1", "b", "2"},
+		AutoAdvertise:        &yes,
+		ChecksUseAdvertise:   &yes,
+		Addr:                 "2",
+		GRPCAddr:             "2",
+		Timeout:              time.Duration(2),
+		TimeoutHCL:           "2",
+		Token:                "2",
+		AllowUnauthenticated: &yes,
+		Auth:                 "2",
+		EnableSSL:            &yes,
+		VerifySSL:            &yes,
+		CAFile:               "2",
+		CertFile:             "2",
+		KeyFile:              "2",
+		ServerAutoJoin:       &yes,
+		ClientAutoJoin:       &yes,
+		ExtraKeysHCL:         []string{"a", "1"}, // not merged
+	}
+
+	result := c1.Merge(c2)
+	require.Equal(t, exp, result)
+}
+
 // TestConsulConfig_Defaults asserts Consul defaults are copied from their
 // upstream API package defaults.
 func TestConsulConfig_Defaults(t *testing.T) {