Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault: load default config for tasks without vault #19439

Merged
merged 2 commits into from
Dec 12, 2023
Merged

vault: load default config for tasks without vault #19439

merged 2 commits into from
Dec 12, 2023

Conversation

lgfa29
Copy link
Contributor

@lgfa29 lgfa29 commented Dec 11, 2023
edited
Loading

It is often expected that a task that needs access to Vault defines a vault block to specify the Vault policy to use to derive a token.

But in some scenarios, like when the Nomad client is connected to a local Vault agent that is responsible for authn/authz, the task is not required to defined a vault block.

In these situations, the default Vault cluster should be used to render the template.

Closes #19380

@lgfa29
vault: load default config for tasks without vault
bd0626e 
It is often expected that a task that needs access to Vault defines a
`vault` block to specify the Vault policy to use to derive a token.

But in some scenarios, like when the Nomad client is connected to a
local Vault agent that is responsible for authn/authz, the task is not
required to defined a `vault` block.

In these situations, the `default` Vault cluster should be used to
render the template.
@lgfa29 lgfa29 force-pushed the b-use-default-vault-cluster branch from 5cef72f to bd0626e Compare December 11, 2023 22:59
@lgfa29 lgfa29 added the backport/1.7.x backport to 1.7.x release line label Dec 11, 2023
tgross
tgross approved these changes Dec 12, 2023
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

client/allocrunner/taskrunner/template_hook_test.go
}()

var gotRequest bool
LOOP:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the send on reqCh is blocking, at first I thought you could probably select over reqCh and ctx without this loop and check the error afterwards, and avoid the label/break/goto. But this is a nicely elegant way of avoiding blocking 3 whole seconds for the context timeout on error. 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this ensure we exit as soon as Prestart() finishes. I think there's a theoretical issue where a test case reads a request from another test case, because reqCh is shared while each test case has its own consumer. But since this is a test, and each test case doesn't run in parallel, I think it's fine.

@tgross tgross added this to the 1.7.x milestone Dec 12, 2023
@lgfa29 lgfa29 merged commit 0bc822d into main Dec 12, 2023
21 checks passed
@lgfa29 lgfa29 deleted the b-use-default-vault-cluster branch December 12, 2023 19:06
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Dec 12, 2023
Merged
@tgross tgross mentioned this pull request Dec 13, 2023
Closed
@joliver
Copy link

joliver commented Dec 14, 2023

It appears there's one small regression in this. Our configuration is spread across multiple files which are merged together using the Nomad configuration merge behavior

00-vault.hcl:

vault {
  address = "https://vault.company.com:8200"
}

25-server.hcl:

vault {
  enabled          = true
  create_from_role = "role-name-here"
}

In Vault 1.6.x and up through Vault 1.7.1, the above behavior was working properly. With the introduction of Vault 1.7.2, I believe the merge behavior has changed because of the later file not specifying a Vault address such that a default address is used which then overwrites/hide the value specified in the earlier file.

@tgross tgross mentioned this pull request Dec 14, 2023
Closed
@tgross
Copy link
Member

tgross commented Dec 14, 2023

@joliver I've opened #19482 for you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgross tgross tgross approved these changes

@pkazmierczak pkazmierczak Awaiting requested review from pkazmierczak

Assignees
No one assigned
Labels
backport/1.7.x backport to 1.7.x release line theme/vault
Projects
None yet
Milestone
1.7.x
Development

Successfully merging this pull request may close these issues.

Vault address is ignored in nomad clients on v1.7.0
3 participants
@lgfa29 @joliver @tgross