Tim Gross 2cf341b761 drain: use authenticated ID as source of drained-by metadata (#20317) ...

When a node is set to drain, the state store reads the auth token off the
request to record `LastDrain` metadata about the token used to drain the
node. This code path in the state store can't correctly handle signed Workload
Identity tokens or bearer tokens that may have expired (for example, while
restarting a server and applying uncompacted Raft logs).

Rather than re-authenticating the request at the time of FSM apply, record the
string derived from the authenticated identity as part of the Raft log
entry.

Fixes: https://github.com/hashicorp/nomad/issues/17471

2024-04-09 09:28:24 -04:00

259 B

Raw Permalink Blame History

View Raw