client: Allow operators to force a client to renew its identity. (#26277)

The Nomad client will have its identity renewed according to the TTL which defaults to 24h. In certain situations such as root keyring rotation, operators may want to force clients to renew their identities before the TTL threshold is met. This change introduces a client HTTP and RPC endpoint which will instruct the node to request a new identity at its next heartbeat. This can be used via the API or a new command. While this is a manual intervention step on top of the any keyring rotation, it dramatically reduces the initial feature complexity as it provides an asynchronous and efficient method of renewal that utilises existing functionality.
2026-01-01 16:05:42 +03:00 · 2025-07-16 15:56:00 +02:00
parent 8096ea4129
commit 953a149180
16 changed files with 574 additions and 8 deletions
--- a/api/node_identity.go
+++ b/api/node_identity.go
@@ -0,0 +1,33 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+type NodeIdentityRenewRequest struct {
+	NodeID string
+}
+
+type NodeIdentityRenewResponse struct{}
+
+type NodeIdentity struct {
+	client *Client
+}
+
+func (n *Nodes) Identity() *NodeIdentity {
+	return &NodeIdentity{client: n.client}
+}
+
+// Renew instructs the node to request a new identity from the server at its
+// next heartbeat.
+//
+// The request uses query options to control the forwarding behavior of the
+// request only. Parameters such as Filter, WaitTime, and WaitIndex are not used
+// and ignored.
+func (n *NodeIdentity) Renew(req *NodeIdentityRenewRequest, qo *QueryOptions) (*NodeIdentityRenewResponse, error) {
+	var out NodeIdentityRenewResponse
+	_, err := n.client.postQuery("/v1/client/identity/renew", req, &out, qo)
+	if err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
--- a/api/node_identity_test.go
+++ b/api/node_identity_test.go
@@ -0,0 +1,29 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+	"testing"
+
+	"github.com/hashicorp/nomad/api/internal/testutil"
+	"github.com/shoenig/test/must"
+)
+
+func TestNodeIdentity_Renew(t *testing.T) {
+	testutil.Parallel(t)
+
+	configCallback := func(c *testutil.TestServerConfig) { c.DevMode = true }
+	testClient, testServer := makeClient(t, nil, configCallback)
+	defer testServer.Stop()
+
+	nodeID := oneNodeFromNodeList(t, testClient.Nodes()).ID
+
+	req := NodeIdentityRenewRequest{
+		NodeID: nodeID,
+	}
+
+	resp, err := testClient.Nodes().Identity().Renew(&req, nil)
+	must.NoError(t, err)
+	must.NotNil(t, resp)
+}