From e7ca2b51ad1bde9d128d35108587e5eedd0b4458 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Tue, 2 Jan 2024 16:46:34 -0500 Subject: [PATCH] vault: ignore `allow_unauthenticated` config if identity is set (#19585) When the server's `vault` block has a default identity, we don't check the user's Vault token (and in fact, we warn them on job submit if they've provided one). But the validation hook still checks for a token if `allow_unauthenticated` is set to true. This is a misconfiguration but there's no reason for Nomad not to do the expected thing here. Fixes: https://github.com/hashicorp/nomad/issues/19565 --- .changelog/19585.txt | 3 +++ nomad/job_endpoint_hook_vault.go | 2 +- nomad/job_endpoint_hook_vault_ce_test.go | 13 +++++++++++++ website/content/docs/configuration/vault.mdx | 3 ++- 4 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 .changelog/19585.txt diff --git a/.changelog/19585.txt b/.changelog/19585.txt new file mode 100644 index 000000000..96f082310 --- /dev/null +++ b/.changelog/19585.txt @@ -0,0 +1,3 @@ +```release-note:bug +vault: Fixed a bug where `allow_unauthenticated` was enforced when a `default_identity` was set +``` diff --git a/nomad/job_endpoint_hook_vault.go b/nomad/job_endpoint_hook_vault.go index 78af2db88..8244c24a1 100644 --- a/nomad/job_endpoint_hook_vault.go +++ b/nomad/job_endpoint_hook_vault.go @@ -38,7 +38,7 @@ func (h jobVaultHook) Validate(job *structs.Job) ([]error, error) { return nil, fmt.Errorf("Vault %q not enabled but used in the job", vaultBlock.Cluster) } - if !vconf.AllowsUnauthenticated() { + if vconf.DefaultIdentity == nil && !vconf.AllowsUnauthenticated() { requiresToken = true } } diff --git a/nomad/job_endpoint_hook_vault_ce_test.go b/nomad/job_endpoint_hook_vault_ce_test.go index 027e55be8..bced997d6 100644 --- a/nomad/job_endpoint_hook_vault_ce_test.go +++ b/nomad/job_endpoint_hook_vault_ce_test.go @@ -10,8 +10,10 @@ import ( "testing" "github.com/hashicorp/nomad/ci" + "github.com/hashicorp/nomad/helper/pointer" "github.com/hashicorp/nomad/nomad/mock" "github.com/hashicorp/nomad/nomad/structs" + "github.com/hashicorp/nomad/nomad/structs/config" "github.com/hashicorp/nomad/testutil" "github.com/shoenig/test/must" ) @@ -21,6 +23,12 @@ func TestJobEndpointHook_VaultCE(t *testing.T) { srv, cleanup := TestServer(t, func(c *Config) { c.NumSchedulers = 0 + c.VaultConfigs[structs.VaultDefaultCluster].Enabled = pointer.Of(true) + c.VaultConfigs[structs.VaultDefaultCluster].AllowUnauthenticated = pointer.Of(false) + c.VaultConfigs[structs.VaultDefaultCluster].DefaultIdentity = &config.WorkloadIdentityConfig{ + Name: "vault_default", + Audience: []string{"vault.io"}, + } }) t.Cleanup(cleanup) testutil.WaitForLeader(t, srv.RPC) @@ -44,4 +52,9 @@ func TestJobEndpointHook_VaultCE(t *testing.T) { err = hook.validateClustersForNamespace(job, job.Vault()) must.EqError(t, err, "non-default Vault cluster requires Nomad Enterprise") + job = mock.Job() + job.TaskGroups[0].Tasks[0].Vault = &structs.Vault{Cluster: structs.VaultDefaultCluster} + warnings, err := hook.Validate(job) + must.Len(t, 0, warnings) + must.NoError(t, err) } diff --git a/website/content/docs/configuration/vault.mdx b/website/content/docs/configuration/vault.mdx index d4c15e123..8d448a70d 100644 --- a/website/content/docs/configuration/vault.mdx +++ b/website/content/docs/configuration/vault.mdx @@ -140,7 +140,8 @@ agents with [`server.enabled`] set to `true`. Specifies the default workload identity configuration to use when a task with a `vault` block does not specify an [`identity`][jobspec_identity] block named `vault_`, where `` matches the value of this `vault` block - [`name`](#name) parameter. + [`name`](#name) parameter. Setting a default identity causes the value of + `allow_unauthenticated` to be ignored. ### Deprecated Parameters