Vault small fixes (#18942)

* vault: remove `token_ttl` from `vaultcompat` setup Since Nomad uses periodic tokens, the right value to set in the role is `token_period`, not `token_ttl`. * vault: set 1.11.0 as min version for JWT auth In order to use workload identities JWT auth with Vault it's required to have a Vault cluster running v1.11.0+, which the version where `user_claim_json_pointer` was introduced.
2026-01-04 01:15:43 +03:00 · 2023-11-01 08:23:19 -04:00
parent 5b56a5c5d1
commit bfb2dcd172
4 changed files with 7 additions and 6 deletions
--- a/e2e/vaultcompat/cluster_setup_test.go
+++ b/e2e/vaultcompat/cluster_setup_test.go
@@ -42,9 +42,8 @@ func roleWID(policies []string) map[string]any {
 			"nomad_namespace": "nomad_namespace",
 			"nomad_job_id":    "nomad_job_id",
 		},
-		"token_ttl":      "30m",
 		"token_type":     "service",
-		"token_period":   "72h",
+		"token_period":   "30m",
 		"token_policies": policies,
 	}
 }
--- a/e2e/vaultcompat/vaultcompat_test.go
+++ b/e2e/vaultcompat/vaultcompat_test.go
@@ -347,7 +347,7 @@ func downloadVaultBuild(t *testing.T, b build) {
 }

 func getMinimumVersion(t *testing.T) *version.Version {
-	v, err := version.NewVersion("1.1.0")
+	v, err := version.NewVersion("1.11.0")
 	must.NoError(t, err)
 	return v
 }
--- a/nomad/job_endpoint_hooks.go
+++ b/nomad/job_endpoint_hooks.go
@@ -265,9 +265,11 @@ func (jobImpliedConstraints) Mutate(j *structs.Job) (*structs.Job, []error, erro
 // need to split out the behavior to ENT-specific code.
 func vaultConstraintFn(vault *structs.Vault) *structs.Constraint {
 	if vault.Cluster != structs.VaultDefaultCluster && vault.Cluster != "" {
+		// Non-default clusters use workload identities to derive tokens, which
+		// require Vault 1.11.0+.
 		return &structs.Constraint{
 			LTarget: fmt.Sprintf("${attr.vault.%s.version}", vault.Cluster),
-			RTarget: ">= 0.6.1",
+			RTarget: ">= 1.11.0",
 			Operand: structs.ConstraintSemver,
 		}
 	}
--- a/nomad/job_endpoint_hooks_test.go
+++ b/nomad/job_endpoint_hooks_test.go
@@ -468,9 +468,9 @@ func Test_jobImpliedConstraints_Mutate(t *testing.T) {
 							},
 						},
 						Constraints: []*structs.Constraint{
-							&structs.Constraint{
+							{
 								LTarget: "${attr.vault.infra.version}",
-								RTarget: ">= 0.6.1",
+								RTarget: ">= 1.11.0",
 								Operand: structs.ConstraintSemver,
 							},
 							vaultConstraint,