Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault: fix legacy token workflow for poststop tasks #19268

Merged
merged 1 commit into from
Dec 1, 2023
Merged

vault: fix legacy token workflow for poststop tasks #19268

merged 1 commit into from
Dec 1, 2023

Conversation

tgross
Copy link
Member

@tgross tgross commented Dec 1, 2023
edited
Loading

The new Workload Identity workflow for Vault tokens correctly handles post-stop tasks, however the legacy workflow does not. Attempts to get a Vault token are rejected if the allocation is server-terminal or client-terminal, but we should be waiting until the allocation is client-terminal (only) so that poststop tasks get a chance to get Vault tokens too.

Fixes: #16886
See #16886 (comment) for testing details.

@tgross tgross added backport/1.5.x backport to 1.5.x release line backport/1.6.x backport to 1.6.x release line backport/1.7.x backport to 1.7.x release line theme/vault labels Dec 1, 2023
@tgross tgross added this to the 1.7.0 milestone Dec 1, 2023
@tgross tgross force-pushed the b-vault-token-for-poststop-legacy branch from 5ead257 to a8d75ca Compare December 1, 2023 16:57
@tgross tgross requested review from lgfa29 and pkazmierczak December 1, 2023 17:00
@tgross tgross marked this pull request as ready for review December 1, 2023 17:00
lgfa29
lgfa29 approved these changes Dec 1, 2023
View reviewed changes
Copy link
Contributor

@lgfa29 lgfa29 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into this!

@tgross
Copy link
Member Author

tgross commented Dec 1, 2023
edited
Loading

Oops, I need to fix a test that's checking the server-terminal status. Will fix that right after lunch. Done!

@tgross
vault: fix legacy token workflow for poststop tasks
5653605 
The new Workload Identity workflow for Vault tokens correctly handles post-stop
tasks, however the legacy workflow does not. Attempts to get a Vault token are
rejected if the allocation is server-terminal or client-terminal, but we should
be waiting until the allocation is client-terminal (only) so that poststop tasks
get a chance to get Vault tokens too.

Fixes: #16886
@tgross tgross force-pushed the b-vault-token-for-poststop-legacy branch from a8d75ca to 5653605 Compare December 1, 2023 18:05
@tgross tgross merged commit 5c9a851 into main Dec 1, 2023
19 checks passed
@tgross tgross deleted the b-vault-token-for-poststop-legacy branch December 1, 2023 18:25
This was referenced Dec 1, 2023
Merged
Merged
Merged
@tgross tgross mentioned this pull request Dec 1, 2023
Closed
@dpn
Copy link

dpn commented Dec 1, 2023

@tgross Strangely enough we were just looking at this ticket yesterday. Crazy coincidence. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lgfa29 lgfa29 lgfa29 approved these changes

@pkazmierczak pkazmierczak Awaiting requested review from pkazmierczak

Assignees
No one assigned
Labels
backport/1.5.x backport to 1.5.x release line backport/1.6.x backport to 1.6.x release line backport/1.7.x backport to 1.7.x release line theme/vault
Projects
None yet
Milestone
1.7.0
Development

Successfully merging this pull request may close these issues.

Poststop lifecycle task - Can't request Vault token for terminal allocation
3 participants
@tgross @dpn @lgfa29