Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

command: use consistent CONSUL_HTTP_TOKEN name #7129

Merged
merged 2 commits into from
Feb 12, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ BUG FIXES:
* scheduler: Fixed a bug that caused evicted allocs on a lost node to be stuck in running [[GH-6902](https://github.com/hashicorp/nomad/issues/6902)]
* scheduler: Fixed a bug where `nomad job plan/apply` returned errors instead of ignoring system job updates for ineligible nodes. [[GH-6996](https://github.com/hashicorp/nomad/issues/6996)]

SECURITY:

* client: Nomad will no longer pass through the `CONSUL_HTTP_TOKEN` environment variable when launching a task. [[GH-7131](https://github.com/hashicorp/nomad/issues/7131)]

## 0.10.3 (January 29, 2020)

SECURITY:
Expand Down
1 change: 1 addition & 0 deletions client/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ var (
// filtered when passing the environment variables of the host to a task.
DefaultEnvBlacklist = strings.Join([]string{
"CONSUL_TOKEN",
"CONSUL_HTTP_TOKEN",
"VAULT_TOKEN",
"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
"GOOGLE_APPLICATION_CREDENTIALS",
Expand Down
2 changes: 1 addition & 1 deletion command/job_revert.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ func (c *JobRevertCommand) Run(args []string) int {
// Parse the Consul token
if consulToken == "" {
// Check the environment variable
consulToken = os.Getenv("CONSUL_TOKEN")
consulToken = os.Getenv("CONSUL_HTTP_TOKEN")
}

// Parse the Vault token
Expand Down
6 changes: 3 additions & 3 deletions command/job_run.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Alias: nomad run

The run command will set the consul_token of the job based on the following
precedence, going from highest to lowest: the -consul-token flag, the
$CONSUL_TOKEN environment variable and finally the value in the job file.
$CONSUL_HTTP_TOKEN environment variable and finally the value in the job file.

The run command will set the vault_token of the job based on the following
precedence, going from highest to lowest: the -vault-token flag, the
Expand Down Expand Up @@ -89,7 +89,7 @@ Run Options:
-consul-token
If set, the passed Consul token is stored in the job before sending to the
Nomad servers. This allows passing the Consul token without storing it in
the job file. This overrides the token found in $CONSUL_TOKEN environment
the job file. This overrides the token found in $CONSUL_HTTP_TOKEN environment
variable and that found in the job.

-vault-token
Expand Down Expand Up @@ -190,7 +190,7 @@ func (c *JobRunCommand) Run(args []string) int {
// Parse the Consul token
if consulToken == "" {
// Check the environment variable
consulToken = os.Getenv("CONSUL_TOKEN")
consulToken = os.Getenv("CONSUL_HTTP_TOKEN")
}

if consulToken != "" {
Expand Down
2 changes: 1 addition & 1 deletion nomad/structs/config/consul.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ func DefaultConsulConfig() *ConsulConfig {
// creation of Consul Service Identity tokens for Consul Connect enabled Tasks.
//
// If allow_unauthenticated is false, the operator must provide a token on
// job submission (i.e. -consul-token or $CONSUL_TOKEN).
// job submission (i.e. -consul-token or $CONSUL_HTTP_TOKEN).
func (c *ConsulConfig) AllowsUnauthenticated() bool {
return c.AllowUnauthenticated != nil && *c.AllowUnauthenticated
}
Expand Down