From cb07bc558f6399531e327978995cada645742763 Mon Sep 17 00:00:00 2001
From: Tim Gross <tgross@hashicorp.com>
Date: Wed, 24 Aug 2022 20:14:29 +0000
Subject: [PATCH] backport of commit 9692586e77c3121737f6fe2c14fd6037520410c4

---
 command/agent/agent_test.go        | 42 +++++++++++++++---------------
 nomad/server_test.go               |  4 +++
 nomad/structs/config/vault_test.go |  2 +-
 nomad/vault.go                     | 11 ++++++++
 nomad/vault_testing.go             |  1 +
 5 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/command/agent/agent_test.go b/command/agent/agent_test.go
index 457937ea329..1bd2bad45ed 100644
--- a/command/agent/agent_test.go
+++ b/command/agent/agent_test.go
@@ -1060,34 +1060,34 @@ func TestServer_Reload_TLS_DowngradeFromTLS(t *testing.T) {
 func TestServer_Reload_VaultConfig(t *testing.T) {
 	ci.Parallel(t)
 
-	logger := testlog.HCLogger(t)
-
-	agentConfig := &Config{
-		TLSConfig: &config.TLSConfig{},
-		Vault: &config.VaultConfig{
+	agent := NewTestAgent(t, t.Name(), func(c *Config) {
+		c.Server.NumSchedulers = pointer.Of(0)
+		c.Vault = &config.VaultConfig{
 			Enabled:   pointer.Of(true),
 			Token:     "vault-token",
 			Namespace: "vault-namespace",
-		},
-	}
+			Addr:      "https://vault.consul:8200",
+		}
+	})
+	defer agent.Shutdown()
 
-	agent := &Agent{
-		auditor: &noOpAuditor{},
-		logger:  logger,
-		config:  agentConfig,
+	newConfig := agent.GetConfig().Copy()
+	newConfig.Vault = &config.VaultConfig{
+		Enabled:   pointer.Of(true),
+		Token:     "vault-token",
+		Namespace: "another-namespace",
+		Addr:      "https://vault.consul:8200",
 	}
 
-	newConfig := &Config{
-		TLSConfig: &config.TLSConfig{},
-		Vault: &config.VaultConfig{
-			Enabled:   pointer.Of(true),
-			Token:     "vault-token",
-			Namespace: "vault-namespace",
-		},
-	}
+	sconf, err := convertServerConfig(newConfig)
+	must.NoError(t, err)
+	agent.finalizeServerConfig(sconf)
 
-	must.NoError(t, agent.Reload(newConfig))
-	must.Equals(t, agent.config.Vault, newConfig.Vault)
+	// TODO: the vault client isn't accessible here, and we don't actually
+	// overwrite the agent's server config on reload. We probably should? See
+	// tests in nomad/server_test.go for verification of this code path's
+	// behavior on the VaultClient
+	must.NoError(t, agent.server.Reload(sconf))
 }
 
 func TestServer_ShouldReload_ReturnFalseForNoChanges(t *testing.T) {
diff --git a/nomad/server_test.go b/nomad/server_test.go
index c4ea2cfc742..16f99c2c3e8 100644
--- a/nomad/server_test.go
+++ b/nomad/server_test.go
@@ -223,6 +223,10 @@ func TestServer_Reload_Vault(t *testing.T) {
 	if !s1.vault.Running() {
 		t.Fatalf("Vault client should be running")
 	}
+
+	if s1.vault.GetConfig().Namespace != "nondefault" {
+		t.Fatalf("Vault client did not get new namespace")
+	}
 }
 
 func connectionReset(msg string) bool {
diff --git a/nomad/structs/config/vault_test.go b/nomad/structs/config/vault_test.go
index 4e8420d9886..83739c4c9b7 100644
--- a/nomad/structs/config/vault_test.go
+++ b/nomad/structs/config/vault_test.go
@@ -65,7 +65,7 @@ func TestVaultConfig_Merge(t *testing.T) {
 	}
 }
 
-func TestVaultConfig_IsEqual(t *testing.T) {
+func TestVaultConfig_Equals(t *testing.T) {
 	ci.Parallel(t)
 
 	c1 := &VaultConfig{
diff --git a/nomad/vault.go b/nomad/vault.go
index 7e2550b1580..0410b53597e 100644
--- a/nomad/vault.go
+++ b/nomad/vault.go
@@ -111,6 +111,10 @@ type VaultClient interface {
 	// SetConfig updates the config used by the Vault client
 	SetConfig(config *config.VaultConfig) error
 
+	// GetConfig returns a copy of the config used by the Vault client, for
+	// testing
+	GetConfig() *config.VaultConfig
+
 	// CreateToken takes an allocation and task and returns an appropriate Vault
 	// Secret
 	CreateToken(ctx context.Context, a *structs.Allocation, task string) (*vapi.Secret, error)
@@ -350,6 +354,13 @@ func (v *vaultClient) flush() {
 	v.tomb = &tomb.Tomb{}
 }
 
+// GetConfig returns a copy of this vault client's configuration, for testing.
+func (v *vaultClient) GetConfig() *config.VaultConfig {
+	v.setConfigLock.Lock()
+	defer v.setConfigLock.Unlock()
+	return v.config.Copy()
+}
+
 // SetConfig is used to update the Vault config being used. A temporary outage
 // may occur after calling as it re-establishes a connection to Vault
 func (v *vaultClient) SetConfig(config *config.VaultConfig) error {
diff --git a/nomad/vault_testing.go b/nomad/vault_testing.go
index 857cd52150f..b81c0f197d1 100644
--- a/nomad/vault_testing.go
+++ b/nomad/vault_testing.go
@@ -142,6 +142,7 @@ func (v *TestVaultClient) MarkForRevocation(accessors []*structs.VaultAccessor)
 
 func (v *TestVaultClient) Stop()                                                  {}
 func (v *TestVaultClient) SetActive(enabled bool)                                 {}
+func (v *TestVaultClient) GetConfig() *config.VaultConfig                         { return nil }
 func (v *TestVaultClient) SetConfig(config *config.VaultConfig) error             { return nil }
 func (v *TestVaultClient) Running() bool                                          { return true }
 func (v *TestVaultClient) Stats() map[string]string                               { return map[string]string{} }