kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
fed1992cea5ec4f81294076805737c83fa2b0e74
nomad/command/agent/testdata/basic.json
Luiz Aoqui fed1992cea vault: remove use_identity agent config (#18592) 
The initial intention behind the `vault.use_identity` configuration was
to indicate to Nomad servers that they would need to sign a workload
identities for allocs with a `vault` block.

But in order to support identity renewal, #18262 and #18431 moved the
token signing logic to the alloc runner since a new token needs to be
signed prior to the TTL expiring.

So #18343 implemented `use_identity` as a flag to indicate that the
workload identity JWT flow should be used when deriving Vault tokens for
tasks.

But this configuration value is set on servers so it is not available to
clients at the time of token derivation, making its meaning not clear: a
job may end up using the identity-based flow even when `use_identity` is
`false`.

The only reliable signal available to clients at token derivation time
is the presence of an `identity` block for Vault, and this is already
configured with the `vault.default_identity` configuration block, making
`vault.use_identity` redundant.

This commit removes the `vault.use_identity` configuration and
simplifies the logic on when an implicit Vault identity is injected into
tasks.
2023-09-27 17:44:07 -03:00

413 lines
9.0 KiB
JSON
Raw Blame History

{
"acl": [
{
"enabled": true,
"policy_ttl": "60s",
"replication_token": "foobar",
"token_ttl": "60s",
"role_ttl": "60s",
"token_min_expiration_ttl": "1h",
"token_max_expiration_ttl": "100h"
}
],
"audit": {
"enabled": true,
"sink": [
{
"file": {
"type": "file",
"format": "json",
"delivery_guarantee": "enforced",
"path": "/opt/nomad/audit.log",
"rotate_bytes": 100,
"rotate_duration": "24h",
"rotate_max_files": 10
}
}
],
"filter": [
{
"default": [
{
"endpoints": [
"/v1/metrics"
],
"operations": [
"*"
],
"stages": [
"*"
],
"type": "HTTPEvent"
}
]
}
]
},
"addresses": [
{
"http": "127.0.0.1",
"rpc": "127.0.0.2",
"serf": "127.0.0.3"
}
],
"advertise": [
{
"rpc": "127.0.0.3",
"serf": "127.0.0.4"
}
],
"autopilot": [
{
"cleanup_dead_servers": true,
"disable_upgrade_migration": true,
"enable_custom_upgrades": true,
"enable_redundancy_zones": true,
"last_contact_threshold": "12705s",
"max_trailing_logs": 17849,
"min_quorum": 3,
"server_stabilization_time": "23057s"
}
],
"bind_addr": "192.168.0.1",
"client": [
{
"alloc_dir": "/tmp/alloc",
"bridge_network_name": "custom_bridge_name",
"bridge_network_subnet": "custom_bridge_subnet",
"chroot_env": [
{
"/opt/myapp/bin": "/bin",
"/opt/myapp/etc": "/etc"
}
],
"client_max_port": 2000,
"client_min_port": 1000,
"cni_path": "/tmp/cni_path",
"cpu_total_compute": 4444,
"disable_remote_exec": true,
"enabled": true,
"gc_disk_usage_threshold": 82,
"gc_inode_usage_threshold": 91,
"gc_interval": "6s",
"gc_max_allocs": 50,
"gc_parallel_destroys": 6,
"host_volume": [
{
"tmp": [
{
"path": "/tmp"
}
]
}
],
"max_kill_timeout": "10s",
"meta": [
{
"baz": "zip",
"foo": "bar"
}
],
"network_interface": "eth0",
"network_speed": 100,
"no_host_uuid": false,
"node_class": "linux-medium-64bit",
"options": [
{
"baz": "zip",
"foo": "bar"
}
],
"reserved": [
{
"cpu": 10,
"disk": 10,
"memory": 10,
"reserved_ports": "1,100,10-12"
}
],
"server_join": [
{
"retry_interval": "15s",
"retry_join": [
"1.1.1.1",
"2.2.2.2"
],
"retry_max": 3
}
],
"servers": [
"a.b.c:80",
"127.0.0.1:1234"
],
"state_dir": "/tmp/client-state",
"stats": [
{
"collection_interval": "5s",
"data_points": 35
}
]
}
],
"consul": [
{
"address": "127.0.0.1:9500",
"allow_unauthenticated": true,
"auth": "username:pass",
"auto_advertise": true,
"ca_file": "/path/to/ca/file",
"cert_file": "/path/to/cert/file",
"checks_use_advertise": true,
"client_auto_join": true,
"client_http_check_name": "nomad-client-http-health-check",
"client_service_name": "nomad-client",
"key_file": "/path/to/key/file",
"server_auto_join": true,
"server_http_check_name": "nomad-server-http-health-check",
"server_rpc_check_name": "nomad-server-rpc-health-check",
"server_serf_check_name": "nomad-server-serf-health-check",
"server_service_name": "nomad",
"service_identity": {
"aud": [
"consul.io",
"nomad.dev"
],
"env": false,
"file": true,
"ttl": "1h"
},
"ssl": true,
"task_identity": {
"aud": [
"consul.io"
],
"env": true,
"file": false,
"ttl": "2h"
},
"timeout": "5s",
"token": "token1",
"use_identity": true,
"verify_ssl": true
}
],
"data_dir": "/tmp/nomad",
"datacenter": "dc2",
"disable_anonymous_signature": true,
"disable_update_check": true,
"enable_debug": true,
"enable_syslog": true,
"http_api_response_headers": [
{
"Access-Control-Allow-Origin": "*"
}
],
"leave_on_interrupt": true,
"leave_on_terminate": true,
"log_file": "/var/log/nomad.log",
"log_json": true,
"log_level": "ERR",
"name": "my-web",
"plugin": [
{
"docker": [
{
"args": [
"foo",
"bar"
],
"config": [
{
"foo": "bar",
"nested": [
{
"bam": 2
}
]
}
]
}
]
},
{
"exec": [
{
"config": [
{
"foo": true
}
]
}
]
}
],
"plugin_dir": "/tmp/nomad-plugins",
"ports": [
{
"http": 1234,
"rpc": 2345,
"serf": 3456
}
],
"region": "foobar",
"sentinel": [
{
"import": [
{
"foo": [
{
"args": [
"a",
"b",
"c"
],
"path": "foo"
}
]
},
{
"bar": [
{
"args": [
"x",
"y",
"z"
],
"path": "bar"
}
]
}
]
}
],
"server": [
{
"acl_token_gc_threshold": "12h",
"authoritative_region": "foobar",
"bootstrap_expect": 5,
"csi_plugin_gc_threshold": "12h",
"csi_volume_claim_gc_threshold": "12h",
"data_dir": "/tmp/data",
"deployment_gc_threshold": "12h",
"enabled": true,
"enable_event_broker": false,
"event_buffer_size": 200,
"enabled_schedulers": [
"test"
],
"encrypt": "abc",
"eval_gc_threshold": "12h",
"csi_volume_claim_gc_interval": "3m",
"heartbeat_grace": "30s",
"job_gc_interval": "3m",
"job_gc_threshold": "12h",
"max_heartbeats_per_second": 11,
"min_heartbeat_ttl": "33s",
"failover_heartbeat_ttl": "330s",
"node_gc_threshold": "12h",
"non_voting_server": true,
"num_schedulers": 2,
"plan_rejection_tracker": {
"enabled": true,
"node_threshold": 100,
"node_window": "41m"
},
"raft_protocol": 3,
"raft_multiplier": 4,
"redundancy_zone": "foo",
"rejoin_after_leave": true,
"retry_interval": "15s",
"retry_join": [
"1.1.1.1",
"2.2.2.2"
],
"retry_max": 3,
"server_join": [
{
"retry_interval": "15s",
"retry_join": [
"1.1.1.1",
"2.2.2.2"
],
"retry_max": 3
}
],
"start_join": [
"1.1.1.1",
"2.2.2.2"
],
"default_scheduler_config": [
{
"scheduler_algorithm": "spread",
"preemption_config": [
{
"batch_scheduler_enabled": true,
"system_scheduler_enabled": true,
"service_scheduler_enabled": true
}
]
}
],
"upgrade_version": "0.8.0",
"license_path": "/tmp/nomad.hclic",
"job_default_priority": 100,
"job_max_priority": 200
}
],
"syslog_facility": "LOCAL1",
"telemetry": [
{
"collection_interval": "3s",
"disable_hostname": true,
"prometheus_metrics": true,
"publish_allocation_metrics": true,
"publish_node_metrics": true,
"statsd_address": "127.0.0.1:2345",
"statsite_address": "127.0.0.1:1234"
}
],
"tls": [
{
"ca_file": "foo",
"cert_file": "bar",
"http": true,
"key_file": "pipe",
"rpc": true,
"rpc_upgrade_mode": true,
"tls_cipher_suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"tls_min_version": "tls12",
"tls_prefer_server_cipher_suites": true,
"verify_https_client": true,
"verify_server_hostname": true
}
],
"vault": [
{
"address": "127.0.0.1:9500",
"allow_unauthenticated": true,
"ca_file": "/path/to/ca/file",
"ca_path": "/path/to/ca",
"cert_file": "/path/to/cert/file",
"create_from_role": "test_role",
"default_identity": {
"aud": ["vault.io", "nomad.io"],
"env": false,
"file": true,
"ttl": "3h"
},
"enabled": false,
"key_file": "/path/to/key/file",
"task_token_ttl": "1s",
"tls_server_name": "foobar",
"tls_skip_verify": true,
"token": "12345"
}
],
"reporting":{
"license":{
"enabled":"true"
}
}
}
Reference in New Issue View Git Blame Copy Permalink