-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault integration upgrade based on Workload Identity #15617
Comments
Example of a motivating use case: #16639 |
Submitting a Consul or Vault token with a job is deprecated in Nomad 1.7 and intended for removal in Nomad 1.9. Add a deprecation warning to the CLI when the user passes in the appropriate flag or environment variable. Nomad agents will no longer need a Vault token when configured with workload identity, and we'll ignore Vault tokens in the agent config after Nomad 1.9. Log a warning at agent startup. Ref: #15617 Ref: #15618
Submitting a Consul or Vault token with a job is deprecated in Nomad 1.7 and intended for removal in Nomad 1.9. Add a deprecation warning to the CLI when the user passes in the appropriate flag or environment variable. Nomad agents will no longer need a Vault token when configured with workload identity, and we'll ignore Vault tokens in the agent config after Nomad 1.9. Log a warning at agent startup. Ref: #15617 Ref: #15618
Shipped in Nomad 1.7.0-beta.1 |
Hi, would it be expected that to successfully retrieve the JWKS, you need to have verify_https_client set to "false"? If I have that set to true, it is expected that the client present a TLS certificate (mutual TLS), but Vault isn't going to do that, so the retrieval of JWKS fails? |
@tomqwpl yeah that's right. We should probably update the |
Do you mean "true" here? I'm assuming you mean "false"? I see in fact that the docs say "false". Thanks. |
🤦 yes, sorry.
Yeah in that case you really so want to enable TLS verification for the HTTP API. But it's not recommended to have ACLs disabled. |
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
Proposal
Once Workload Identity upgrades make it into Nomad, we can redo the Vault integration to use these tokens as the source of auth instead of manually provided Vault tokens.
Using these tokens, Nomad Users would have a one-time set up process to integrate Nomad workloads into Vault.
The general flow for setting up the Vault-Nomad integration would be:
This would involve an up front cost to set up roles in Vault, but after that no management of tokens would be needed.
Use Cases & Advantages
This would be advantageous in many ways:
Potential simultaneous improvements
While not directly related, there are a few other Vault improvements that should be considered while we do this upgrade:
The text was updated successfully, but these errors were encountered: