Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault: add new nomad setup vault -check commmand #19720

Merged
merged 4 commits into from
Jan 12, 2024
Merged

vault: add new nomad setup vault -check commmand #19720

merged 4 commits into from
Jan 12, 2024

Conversation

lgfa29
Copy link
Contributor

@lgfa29 lgfa29 commented Jan 11, 2024

The new nomad setup vault -check commmand can be used to retrieve information about the changes required before a cluster is migrated from the deprecated legacy authentication flow with Vault to use only workload identities.

lgfa29 added 2 commits January 11, 2024 14:41
@lgfa29
vault: add new nomad setup vault -check commmand
c597550 
The new `nomad setup vault -check` commmand can be used to retrieve
information about the changes required before a cluster is migrated from
the deprecated legacy authentication flow with Vault to use only
workload identities.
@lgfa29
changelog: add entry for #19720
8ae8ba6
@lgfa29 lgfa29 added the backport/1.7.x backport to 1.7.x release line label Jan 11, 2024
@lgfa29 lgfa29 requested a review from a team January 11, 2024 19:44
shoenig
shoenig reviewed Jan 11, 2024
View reviewed changes
nomad/operator_endpoint.go Outdated Show resolved Hide resolved
shoenig
shoenig reviewed Jan 11, 2024
View reviewed changes
nomad/operator_endpoint_test.go

// Verify only jobs without Vault identity are returned.
must.Len(t, 2, resp.JobsWithoutVaultIdentity)
must.SliceContains(t, resp.JobsWithoutVaultIdentity, jobNoWID.Stub(nil, nil), must.Cmp(cmpopts.IgnoreFields(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I knew somebody would use must.Cmp one day!! 🥳

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've used them a in a few places while working on node pools. Very handy for ignoring these Raft indexes that we usually don't care about 😄

https://github.com/search?q=repo%3Ahashicorp%2Fnomad%20%22must.Cmp%22&type=code

shoenig
shoenig reviewed Jan 11, 2024
View reviewed changes
nomad/structs/workload_id.go

// MinNomadVersionVaultWID is the minimum version of Nomad that supports
// workload identities for Vault.
MinNomadVersionVaultWID = version.Must(version.NewVersion("1.7.0-a"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the 1.7.0-a literal correct? (which I guess could make sense as -a is the first possible pre-release version in semver 2)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, I should've copied this info from the implicit constraint:

nomad/nomad/job_endpoint_hook_implicit_identities.go

Lines 53 to 59 in b2aa6ff

// "-a" is used here so that it is "less than" all pre-release versions of
// Nomad 1.7.0 as well
return &structs.Constraint{
LTarget: "${attr.nomad.version}",
RTarget: ">= 1.7.0-a",
Operand: structs.ConstraintSemver,
}

shoenig
shoenig approved these changes Jan 11, 2024
View reviewed changes
Copy link
Member

@shoenig shoenig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great @lgfa29! Just the small suggestions

@lgfa29 lgfa29 merged commit e1e80f3 into main Jan 12, 2024
21 checks passed
@lgfa29 lgfa29 deleted the f-cli-setup-vault-check branch January 12, 2024 20:48
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Jan 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shoenig shoenig shoenig approved these changes

Assignees
No one assigned
Labels
backport/1.7.x backport to 1.7.x release line
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lgfa29 @shoenig