server: Gate node identity generation on server min version. (#26847)

2026-01-01 16:05:42 +03:00 · 2025-09-29 15:17:00 +01:00
parent 0f88530bd8
commit 250b8f9d07
2 changed files with 87 additions and 59 deletions
--- a/nomad/leader.go
+++ b/nomad/leader.go
@@ -89,6 +89,14 @@ var minVersionMultiIdentities = version.Must(version.NewVersion("1.7.0"))
 // servers must meet before the feature can be used.
 var minVersionDynamicHostVolumes = version.Must(version.NewVersion("1.10.0"))

+// minVersionNodeIdentity is the Nomad version at which the node identity
+// feature was introduced. It forms the minimum version all local servers must
+// meet before the feature can be used.
+//
+// TODO(jrasell): Update this when we have a stable release with node identity
+// support.
+var minVersionNodeIdentity = version.Must(version.NewVersion("1.10.6-dev"))
+
 // minVersionNodeIntro is the Nomad version at which the node introduction
 // feature was introduced. It forms the minimum version all local servers must
 // meet before the feature can be used.
--- a/nomad/node_endpoint.go
+++ b/nomad/node_endpoint.go
@@ -215,6 +215,15 @@ func (n *Node) Register(args *structs.NodeRegisterRequest, reply *structs.NodeUp
 		args.CreateNodePool = true
 	}

+	// Only perform the node identity work if all the servers meet the minimum
+	// version that supports it.
+	if ServersMeetMinimumVersion(
+		n.srv.Members(),
+		n.srv.Region(),
+		minVersionNodeIdentity,
+		false,
+	) {
+
 		// Track the TTL that will be used for the node identity.
 		var identityTTL time.Duration

@@ -249,6 +258,7 @@ func (n *Node) Register(args *structs.NodeRegisterRequest, reply *structs.NodeUp
 		} else if originalNode != nil {
 			args.Node.IdentitySigningKeyID = originalNode.IdentitySigningKeyID
 		}
+	}

 	_, index, err := n.srv.raftApply(structs.NodeRegisterRequestType, args)
 	if err != nil {
@@ -723,9 +733,6 @@ func (n *Node) UpdateStatus(args *structs.NodeUpdateStatusRequest, reply *struct
 	timeNow := time.Now()
 	args.UpdatedAt = timeNow.Unix()

-	// Track the TTL that will be used for the node identity.
-	var identityTTL time.Duration
-
 	// The identity TTL is determined by the node pool the node is registered
 	// in. The pool should already exist, as the node is already registered. If
 	// it does not, we use the default TTL as we have no better value to use.
@@ -736,6 +743,18 @@ func (n *Node) UpdateStatus(args *structs.NodeUpdateStatusRequest, reply *struct
 	if err != nil {
 		return fmt.Errorf("failed to query node pool: %v", err)
 	}
+
+	// Only perform the node identity work if all the servers meet the minimum
+	// version that supports it.
+	if ServersMeetMinimumVersion(
+		n.srv.Members(),
+		n.srv.Region(),
+		minVersionNodeIdentity,
+		false,
+	) {
+		// Track the TTL that will be used for the node identity.
+		var identityTTL time.Duration
+
 		if nodePool == nil {
 			identityTTL = structs.DefaultNodePoolNodeIdentityTTL
 		} else {
@@ -769,6 +788,7 @@ func (n *Node) UpdateStatus(args *structs.NodeUpdateStatusRequest, reply *struct
 			// updates unless we need to.
 			args.IdentitySigningKeyID = ""
 		}
+	}

 	// Compute next status.
 	switch node.Status {