kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

vault: ignore allow_unauthenticated config if identity is set (#19585)

Browse Source 
When the server's `vault` block has a default identity, we don't check the
user's Vault token (and in fact, we warn them on job submit if they've provided
one). But the validation hook still checks for a token if
`allow_unauthenticated` is set to true. This is a misconfiguration but there's
no reason for Nomad not to do the expected thing here.

Fixes: https://github.com/hashicorp/nomad/issues/19565
This commit is contained in:
Tim Gross
2024-01-02 16:46:34 -05:00
committed by GitHub
parent cd8a03431c
commit e7ca2b51ad
4 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/19585.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
vault: Fixed a bug where `allow_unauthenticated` was enforced when a `default_identity` was set
```

2
nomad/job_endpoint_hook_vault.go
View File

@@ -38,7 +38,7 @@ func (h jobVaultHook) Validate(job *structs.Job) ([]error, error) {
return nil, fmt.Errorf("Vault %q not enabled but used in the job", return nil, fmt.Errorf("Vault %q not enabled but used in the job",
vaultBlock.Cluster) vaultBlock.Cluster)
} }
if !vconf.AllowsUnauthenticated() { if vconf.DefaultIdentity == nil && !vconf.AllowsUnauthenticated() {
requiresToken = true requiresToken = true
} }
} }

13
nomad/job_endpoint_hook_vault_ce_test.go
View File

@@ -10,8 +10,10 @@ import (
"testing" "testing"
"github.com/hashicorp/nomad/ci" "github.com/hashicorp/nomad/ci"
"github.com/hashicorp/nomad/helper/pointer"
"github.com/hashicorp/nomad/nomad/mock" "github.com/hashicorp/nomad/nomad/mock"
"github.com/hashicorp/nomad/nomad/structs" "github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/nomad/structs/config"
"github.com/hashicorp/nomad/testutil" "github.com/hashicorp/nomad/testutil"
"github.com/shoenig/test/must" "github.com/shoenig/test/must"
) )
@@ -21,6 +23,12 @@ func TestJobEndpointHook_VaultCE(t *testing.T) {
srv, cleanup := TestServer(t, func(c *Config) { srv, cleanup := TestServer(t, func(c *Config) {
c.NumSchedulers = 0 c.NumSchedulers = 0
c.VaultConfigs[structs.VaultDefaultCluster].Enabled = pointer.Of(true)
c.VaultConfigs[structs.VaultDefaultCluster].AllowUnauthenticated = pointer.Of(false)
c.VaultConfigs[structs.VaultDefaultCluster].DefaultIdentity = &config.WorkloadIdentityConfig{
Name: "vault_default",
Audience: []string{"vault.io"},
}
}) })
t.Cleanup(cleanup) t.Cleanup(cleanup)
testutil.WaitForLeader(t, srv.RPC) testutil.WaitForLeader(t, srv.RPC)
@@ -44,4 +52,9 @@ func TestJobEndpointHook_VaultCE(t *testing.T) {
err = hook.validateClustersForNamespace(job, job.Vault()) err = hook.validateClustersForNamespace(job, job.Vault())
must.EqError(t, err, "non-default Vault cluster requires Nomad Enterprise") must.EqError(t, err, "non-default Vault cluster requires Nomad Enterprise")
job = mock.Job()
job.TaskGroups[0].Tasks[0].Vault = &structs.Vault{Cluster: structs.VaultDefaultCluster}
warnings, err := hook.Validate(job)
must.Len(t, 0, warnings)
must.NoError(t, err)
} }

3
website/content/docs/configuration/vault.mdx
View File

@@ -140,7 +140,8 @@ agents with [`server.enabled`] set to `true`.
Specifies the default workload identity configuration to use when a task with Specifies the default workload identity configuration to use when a task with
a `vault` block does not specify an [`identity`][jobspec_identity] block a `vault` block does not specify an [`identity`][jobspec_identity] block
named `vault_<name>`, where `<name>` matches the value of this `vault` block named `vault_<name>`, where `<name>` matches the value of this `vault` block
[`name`](#name) parameter. [`name`](#name) parameter. Setting a default identity causes the value of
`allow_unauthenticated` to be ignored.
### Deprecated Parameters ### Deprecated Parameters