mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
8bce0b0954
Nomad 1.10.0 is removing the legacy Vault token based workflow which means the legacy e2e compatibility tests will fail and not work. The Nomad e2e cluster was using the legacy Vault token based workflow for initial cluster build. This change migrates to using the workload identity flow which utilizes authentication methods, roles, and policies. The Nomad server network has been modified to allow traffic from the HCP Vault HVN which is a private network peered into our AWS account. This is required, so that Vault can pull JWKS information from the Nomad API without going over the public internet. The cluster build will now also configure a Vault KV v2 mount at a unique indentifier for the e2e cluster. This allows all Nomad workloads and tests to use this if required. The vaultsecrets suite has been updated to accommodate the new changes and extended to test the default workload ID flow for allocations which use Vault for secrets.
74 lines
2.0 KiB
Go
74 lines
2.0 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package vaultcompat
|
|
|
|
import "fmt"
|
|
|
|
const (
|
|
// jwtPath is where the JWT auth method is mounted in Vault.
|
|
// Use a non-default value for a more realistic scenario.
|
|
jwtPath = "nomad_jwt"
|
|
)
|
|
|
|
// authConfigJWT is the configuration for the JWT auth method used by Nomad.
|
|
func authConfigJWT(jwksURL string) map[string]any {
|
|
return map[string]any{
|
|
"jwks_url": jwksURL,
|
|
"jwt_supported_algs": []string{"RS256", "EdDSA"},
|
|
"default_role": "nomad-workloads",
|
|
}
|
|
}
|
|
|
|
// roleWID is the recommended role for Nomad workloads when using JWT and
|
|
// workload identity.
|
|
func roleWID(policies []string) map[string]any {
|
|
return map[string]any{
|
|
"role_type": "jwt",
|
|
"bound_audiences": "vault.io",
|
|
"user_claim": "/extra_claims/nomad_workload_id",
|
|
"user_claim_json_pointer": true,
|
|
"claim_mappings": map[string]any{
|
|
"nomad_namespace": "nomad_namespace",
|
|
"nomad_job_id": "nomad_job_id",
|
|
},
|
|
"token_type": "service",
|
|
"token_period": "30m",
|
|
"token_policies": policies,
|
|
}
|
|
}
|
|
|
|
// policyWID is a templated Vault policy that grants tasks access to secret
|
|
// paths prefixed by <namespace>/<job>.
|
|
func policyWID(mountAccessor string) string {
|
|
return fmt.Sprintf(`
|
|
path "secret/data/{{identity.entity.aliases.%[1]s.metadata.nomad_namespace}}/{{identity.entity.aliases.%[1]s.metadata.nomad_job_id}}/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "secret/data/{{identity.entity.aliases.%[1]s.metadata.nomad_namespace}}/{{identity.entity.aliases.%[1]s.metadata.nomad_job_id}}" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "secret/metadata/{{identity.entity.aliases.%[1]s.metadata.nomad_namespace}}/*" {
|
|
capabilities = ["list"]
|
|
}
|
|
|
|
path "secret/metadata/*" {
|
|
capabilities = ["list"]
|
|
}
|
|
`, mountAccessor)
|
|
}
|
|
|
|
// policyRestricted is Vault policy that only grants read access to a specific
|
|
// path.
|
|
const policyRestricted = `
|
|
path "secret/data/restricted" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "secret/metadata/restricted" {
|
|
capabilities = ["list"]
|
|
}
|
|
`
|