From 734309e5242f443681749536b06fed9ab04ad036 Mon Sep 17 00:00:00 2001
From: Tim Gross <tgross@hashicorp.com>
Date: Wed, 25 Oct 2023 10:17:14 -0400
Subject: [PATCH] add deprecation warning for Vault/Consul token usage

Submitting a Consul or Vault token with a job is deprecated in Nomad 1.7 and
intended for removal in Nomad 1.9. Add a deprecation warning to the CLI when the
user passes in the appropriate flag or environment variable.

Nomad agents will no longer need a Vault token when configured with workload
identity, and we'll ignore Vault tokens in the agent config after Nomad 1.9. Log
a warning at agent startup.

Ref: https://github.com/hashicorp/nomad/issues/15617
Ref: https://github.com/hashicorp/nomad/issues/15618
---
 command/agent/command.go |  6 ++++++
 command/job_revert.go    | 11 +++++++++++
 command/job_run.go       |  6 ++++++
 3 files changed, 23 insertions(+)

diff --git a/command/agent/command.go b/command/agent/command.go
index 04776d14339..9a27678b569 100644
--- a/command/agent/command.go
+++ b/command/agent/command.go
@@ -612,6 +612,12 @@ func (c *Command) setupAgent(config *Config, logger hclog.InterceptLogger, logOu
 	}
 	c.httpServers = httpServers
 
+	for _, vault := range config.Vaults {
+		if vault.Token != "" {
+			logger.Warn("Setting a Vault token in the agent configuration is deprecated and will be removed in Nomad 1.9. Migrate your Vault configuration to use workload identity.", "cluster", vault.Name)
+		}
+	}
+
 	// If DisableUpdateCheck is not enabled, set up update checking
 	// (DisableUpdateCheck is false by default)
 	if config.DisableUpdateCheck != nil && !*config.DisableUpdateCheck {
diff --git a/command/job_revert.go b/command/job_revert.go
index 713c06e094d..189db7abb7a 100644
--- a/command/job_revert.go
+++ b/command/job_revert.go
@@ -132,6 +132,17 @@ func (c *JobRevertCommand) Run(args []string) int {
 		vaultToken = os.Getenv("VAULT_TOKEN")
 	}
 
+	if consulToken != "" {
+		c.Ui.Warn(strings.TrimSpace(`
+Warning: setting a Consul token when submitting a job is deprecated and will be
+removed in Nomad 1.9. Migrate your Consul configuration to use workload identity.`))
+	}
+	if vaultToken != "" {
+		c.Ui.Warn(strings.TrimSpace(`
+Warning: setting a Vault token when submitting a job is deprecated and will be
+removed in Nomad 1.9. Migrate your Vault configuration to use workload identity.`))
+	}
+
 	// Parse the job version
 	revertVersion, ok, err := parseVersion(args[1])
 	if !ok {
diff --git a/command/job_run.go b/command/job_run.go
index cd20e95b29c..67e121dd9ec 100644
--- a/command/job_run.go
+++ b/command/job_run.go
@@ -280,6 +280,9 @@ func (c *JobRunCommand) Run(args []string) int {
 	}
 
 	if consulToken != "" {
+		c.Ui.Warn(strings.TrimSpace(`
+Warning: setting a Consul token when submitting a job is deprecated and will be
+removed in Nomad 1.9. Migrate your Consul configuration to use workload identity.`))
 		job.ConsulToken = pointer.Of(consulToken)
 	}
 
@@ -294,6 +297,9 @@ func (c *JobRunCommand) Run(args []string) int {
 	}
 
 	if vaultToken != "" {
+		c.Ui.Warn(strings.TrimSpace(`
+Warning: setting a Vault token when submitting a job is deprecated and will be
+removed in Nomad 1.9. Migrate your Vault configuration to use workload identity.`))
 		job.VaultToken = pointer.Of(vaultToken)
 	}