mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
0935f443dc
Some users with batch workloads or short-lived prestart tasks want to derive a Vaul token, use it, and then allow it to expire without requiring a constant refresh. Add the `vault.allow_token_expiration` field, which works only with the Workload Identity workflow and not the legacy workflow. When set to true, this disables the client's renewal loop in the `vault_hook`. When Vault revokes the token lease, the token will no longer be valid. The client will also now automatically detect if the Vault auth configuration does not allow renewals and will disable the renewal loop automatically. Note this should only be used when a secret is requested from Vault once at the start of a task or in a short-lived prestart task. Long-running tasks should never set `allow_token_expiration=true` if they obtain Vault secrets via `template` blocks, as the Vault token will expire and the template runner will continue to make failing requests to Vault until the `vault_retry` attempts are exhausted. Fixes: https://github.com/hashicorp/nomad/issues/8690
8 lines
266 B
Plaintext
8 lines
266 B
Plaintext
```release-note:improvement
|
|
vault: Add `allow_token_expiration` field to allow Vault tokens to expire without renewal for short-lived tasks
|
|
```
|
|
|
|
```release-note:improvement
|
|
vault: Nomad clients will no longer attempt to renew Vault tokens that cannot be renewed
|
|
```
|