From bfb2dcd172ba85ee3b2135f8ace4ad49c4c2a0eb Mon Sep 17 00:00:00 2001
From: Luiz Aoqui <luiz@hashicorp.com>
Date: Wed, 1 Nov 2023 08:23:19 -0400
Subject: [PATCH] Vault small fixes (#18942)

* vault: remove `token_ttl` from `vaultcompat` setup

Since Nomad uses periodic tokens, the right value to set in the role is
`token_period`, not `token_ttl`.

* vault: set 1.11.0 as min version for JWT auth

In order to use workload identities JWT auth with Vault it's required to
have a Vault cluster running v1.11.0+, which the version where
`user_claim_json_pointer` was introduced.
---
 e2e/vaultcompat/cluster_setup_test.go | 3 +--
 e2e/vaultcompat/vaultcompat_test.go   | 2 +-
 nomad/job_endpoint_hooks.go           | 4 +++-
 nomad/job_endpoint_hooks_test.go      | 4 ++--
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/e2e/vaultcompat/cluster_setup_test.go b/e2e/vaultcompat/cluster_setup_test.go
index 0f1246a31..48a6d7818 100644
--- a/e2e/vaultcompat/cluster_setup_test.go
+++ b/e2e/vaultcompat/cluster_setup_test.go
@@ -42,9 +42,8 @@ func roleWID(policies []string) map[string]any {
 			"nomad_namespace": "nomad_namespace",
 			"nomad_job_id":    "nomad_job_id",
 		},
-		"token_ttl":      "30m",
 		"token_type":     "service",
-		"token_period":   "72h",
+		"token_period":   "30m",
 		"token_policies": policies,
 	}
 }
diff --git a/e2e/vaultcompat/vaultcompat_test.go b/e2e/vaultcompat/vaultcompat_test.go
index fdeb286e0..b20cf7cf3 100644
--- a/e2e/vaultcompat/vaultcompat_test.go
+++ b/e2e/vaultcompat/vaultcompat_test.go
@@ -347,7 +347,7 @@ func downloadVaultBuild(t *testing.T, b build) {
 }
 
 func getMinimumVersion(t *testing.T) *version.Version {
-	v, err := version.NewVersion("1.1.0")
+	v, err := version.NewVersion("1.11.0")
 	must.NoError(t, err)
 	return v
 }
diff --git a/nomad/job_endpoint_hooks.go b/nomad/job_endpoint_hooks.go
index be11169d4..5b1443bca 100644
--- a/nomad/job_endpoint_hooks.go
+++ b/nomad/job_endpoint_hooks.go
@@ -265,9 +265,11 @@ func (jobImpliedConstraints) Mutate(j *structs.Job) (*structs.Job, []error, erro
 // need to split out the behavior to ENT-specific code.
 func vaultConstraintFn(vault *structs.Vault) *structs.Constraint {
 	if vault.Cluster != structs.VaultDefaultCluster && vault.Cluster != "" {
+		// Non-default clusters use workload identities to derive tokens, which
+		// require Vault 1.11.0+.
 		return &structs.Constraint{
 			LTarget: fmt.Sprintf("${attr.vault.%s.version}", vault.Cluster),
-			RTarget: ">= 0.6.1",
+			RTarget: ">= 1.11.0",
 			Operand: structs.ConstraintSemver,
 		}
 	}
diff --git a/nomad/job_endpoint_hooks_test.go b/nomad/job_endpoint_hooks_test.go
index e1a2b72ad..d23ff0282 100644
--- a/nomad/job_endpoint_hooks_test.go
+++ b/nomad/job_endpoint_hooks_test.go
@@ -468,9 +468,9 @@ func Test_jobImpliedConstraints_Mutate(t *testing.T) {
 							},
 						},
 						Constraints: []*structs.Constraint{
-							&structs.Constraint{
+							{
 								LTarget: "${attr.vault.infra.version}",
-								RTarget: ">= 0.6.1",
+								RTarget: ">= 1.11.0",
 								Operand: structs.ConstraintSemver,
 							},
 							vaultConstraint,