diff --git a/.changelog/19585.txt b/.changelog/19585.txt new file mode 100644 index 000000000..96f082310 --- /dev/null +++ b/.changelog/19585.txt @@ -0,0 +1,3 @@ +```release-note:bug +vault: Fixed a bug where `allow_unauthenticated` was enforced when a `default_identity` was set +``` diff --git a/nomad/job_endpoint_hook_vault.go b/nomad/job_endpoint_hook_vault.go index 78af2db88..8244c24a1 100644 --- a/nomad/job_endpoint_hook_vault.go +++ b/nomad/job_endpoint_hook_vault.go @@ -38,7 +38,7 @@ func (h jobVaultHook) Validate(job *structs.Job) ([]error, error) { return nil, fmt.Errorf("Vault %q not enabled but used in the job", vaultBlock.Cluster) } - if !vconf.AllowsUnauthenticated() { + if vconf.DefaultIdentity == nil && !vconf.AllowsUnauthenticated() { requiresToken = true } } diff --git a/nomad/job_endpoint_hook_vault_ce_test.go b/nomad/job_endpoint_hook_vault_ce_test.go index 027e55be8..bced997d6 100644 --- a/nomad/job_endpoint_hook_vault_ce_test.go +++ b/nomad/job_endpoint_hook_vault_ce_test.go @@ -10,8 +10,10 @@ import ( "testing" "github.com/hashicorp/nomad/ci" + "github.com/hashicorp/nomad/helper/pointer" "github.com/hashicorp/nomad/nomad/mock" "github.com/hashicorp/nomad/nomad/structs" + "github.com/hashicorp/nomad/nomad/structs/config" "github.com/hashicorp/nomad/testutil" "github.com/shoenig/test/must" ) @@ -21,6 +23,12 @@ func TestJobEndpointHook_VaultCE(t *testing.T) { srv, cleanup := TestServer(t, func(c *Config) { c.NumSchedulers = 0 + c.VaultConfigs[structs.VaultDefaultCluster].Enabled = pointer.Of(true) + c.VaultConfigs[structs.VaultDefaultCluster].AllowUnauthenticated = pointer.Of(false) + c.VaultConfigs[structs.VaultDefaultCluster].DefaultIdentity = &config.WorkloadIdentityConfig{ + Name: "vault_default", + Audience: []string{"vault.io"}, + } }) t.Cleanup(cleanup) testutil.WaitForLeader(t, srv.RPC) @@ -44,4 +52,9 @@ func TestJobEndpointHook_VaultCE(t *testing.T) { err = hook.validateClustersForNamespace(job, job.Vault()) must.EqError(t, err, "non-default Vault cluster requires Nomad Enterprise") + job = mock.Job() + job.TaskGroups[0].Tasks[0].Vault = &structs.Vault{Cluster: structs.VaultDefaultCluster} + warnings, err := hook.Validate(job) + must.Len(t, 0, warnings) + must.NoError(t, err) } diff --git a/website/content/docs/configuration/vault.mdx b/website/content/docs/configuration/vault.mdx index d4c15e123..8d448a70d 100644 --- a/website/content/docs/configuration/vault.mdx +++ b/website/content/docs/configuration/vault.mdx @@ -140,7 +140,8 @@ agents with [`server.enabled`] set to `true`. Specifies the default workload identity configuration to use when a task with a `vault` block does not specify an [`identity`][jobspec_identity] block named `vault_`, where `` matches the value of this `vault` block - [`name`](#name) parameter. + [`name`](#name) parameter. Setting a default identity causes the value of + `allow_unauthenticated` to be ignored. ### Deprecated Parameters