vault: ignore allow_unauthenticated config if identity is set (#19585)

When the server's `vault` block has a default identity, we don't check the user's Vault token (and in fact, we warn them on job submit if they've provided one). But the validation hook still checks for a token if `allow_unauthenticated` is set to true. This is a misconfiguration but there's no reason for Nomad not to do the expected thing here. Fixes: https://github.com/hashicorp/nomad/issues/19565
2026-01-01 16:05:42 +03:00 · 2024-01-02 16:46:34 -05:00
parent cd8a03431c
commit e7ca2b51ad
4 changed files with 19 additions and 2 deletions
--- a/.changelog/19585.txt
+++ b/.changelog/19585.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+vault: Fixed a bug where `allow_unauthenticated` was enforced when a `default_identity` was set
+```
--- a/nomad/job_endpoint_hook_vault.go
+++ b/nomad/job_endpoint_hook_vault.go
@@ -38,7 +38,7 @@ func (h jobVaultHook) Validate(job *structs.Job) ([]error, error) {
 				return nil, fmt.Errorf("Vault %q not enabled but used in the job",
 					vaultBlock.Cluster)
 			}
-			if !vconf.AllowsUnauthenticated() {
+			if vconf.DefaultIdentity == nil && !vconf.AllowsUnauthenticated() {
 				requiresToken = true
 			}
 		}
--- a/nomad/job_endpoint_hook_vault_ce_test.go
+++ b/nomad/job_endpoint_hook_vault_ce_test.go
@@ -10,8 +10,10 @@ import (
 	"testing"

 	"github.com/hashicorp/nomad/ci"
+	"github.com/hashicorp/nomad/helper/pointer"
 	"github.com/hashicorp/nomad/nomad/mock"
 	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/hashicorp/nomad/nomad/structs/config"
 	"github.com/hashicorp/nomad/testutil"
 	"github.com/shoenig/test/must"
 )
@@ -21,6 +23,12 @@ func TestJobEndpointHook_VaultCE(t *testing.T) {

 	srv, cleanup := TestServer(t, func(c *Config) {
 		c.NumSchedulers = 0
+		c.VaultConfigs[structs.VaultDefaultCluster].Enabled = pointer.Of(true)
+		c.VaultConfigs[structs.VaultDefaultCluster].AllowUnauthenticated = pointer.Of(false)
+		c.VaultConfigs[structs.VaultDefaultCluster].DefaultIdentity = &config.WorkloadIdentityConfig{
+			Name:     "vault_default",
+			Audience: []string{"vault.io"},
+		}
 	})
 	t.Cleanup(cleanup)
 	testutil.WaitForLeader(t, srv.RPC)
@@ -44,4 +52,9 @@ func TestJobEndpointHook_VaultCE(t *testing.T) {
 	err = hook.validateClustersForNamespace(job, job.Vault())
 	must.EqError(t, err, "non-default Vault cluster requires Nomad Enterprise")

+	job = mock.Job()
+	job.TaskGroups[0].Tasks[0].Vault = &structs.Vault{Cluster: structs.VaultDefaultCluster}
+	warnings, err := hook.Validate(job)
+	must.Len(t, 0, warnings)
+	must.NoError(t, err)
 }
--- a/website/content/docs/configuration/vault.mdx
+++ b/website/content/docs/configuration/vault.mdx
@@ -140,7 +140,8 @@ agents with [`server.enabled`] set to `true`.
  Specifies the default workload identity configuration to use when a task with
  a `vault` block does not specify an [`identity`][jobspec_identity] block
  named `vault_<name>`, where `<name>` matches the value of this `vault` block
-  [`name`](#name) parameter.
+  [`name`](#name) parameter. Setting a default identity causes the value of
+  `allow_unauthenticated` to be ignored.

 ### Deprecated Parameters