Commits · eee5d90e8bc105201d5a2b98d480af2cd76df833 · 小白蛋 / Nomad

This project is mirrored from https://gitee.com/mirrors/nomad.git. Pull mirroring failed 2 years ago.
Repository mirroring has been paused due to too many failed attempts. It can be resumed by a project maintainer.

10 Jan, 2022 1 commit

Un-break templates when using vault stanza change_mode noop (#11783) · e9032c10

grembo authored 3 years ago

Templates in nomad jobs make use of the vault token defined in
the vault stanza when issuing credentials like client certificates.

When using change_mode "noop" in the vault stanza, consul-template
is not informed in case a vault token is re-issued (which can
happen from time to time for various reasons, as described
in https://www.nomadproject.io/docs/job-specification/vault).

As a result, consul-template will keep using the old vault token
to renew credentials and - once the token expired - stop renewing
credentials. The symptom of this problem is a vault_token
file that is newer than the issued credential (e.g., TLS certificate)
in a job's /secrets directory.

This change corrects this, so that h.updater.updatedVaultToken(token)
is called, which will inform stakeholders about the new
token and make sure, the new token is used by consul-template.

Example job template fragment:

    vault {
        policies = ["nomad-job-policy"]
        change_mode = "noop"
    }

    template {
      data = <<-EOH
        {{ with secret "pki_int/issue/nomad-job"
        "common_name=myjob.service.consul" "ttl=90m"
        "alt_names=localhost" "ip_sans=127.0.0.1"}}
        {{ .Data.certificate }}
        {{ .Data.private_key }}
        {{ .Data.issuing_ca }}
        {{ end }}
      EOH
      destination = "${NOMAD_SECRETS_DIR}/myjob.crt"
      change_mode = "noop"
    }

This fix does not alter the meaning of the three change modes of vault

- "noop" - Take no action
- "restart" - Restart the job
- "signal" - send a signal to the task

as the switch statement following line 232 contains the necessary
logic.

It is assumed that "take no action" was never meant to mean "don't tell
consul-template about the new vault token".

Successfully tested in a staging cluster consisting of multiple
nomad client nodes.

e9032c10

28 Oct, 2021 1 commit
- taskrunner: add clarifying initial vault token renew comment. · 6a509c0e
  James Rasell authored 3 years ago
  
  6a509c0e
22 Feb, 2019 1 commit
- emit TaskRestartSignal event on vault restart · e1e50539
  Mahmood Ali authored 6 years ago
```
When Vault token expires and task is restarted, emit `TaskRestartSignal`
similar to v0.8.7
```
  e1e50539
20 Nov, 2018 1 commit

client: support graceful shutdowns · 31f113ba

Michael Schurter authored 6 years ago

Client.Shutdown now blocks until all AllocRunners and TaskRunners have
exited their Run loops. Tasks are left running.

31f113ba

16 Oct, 2018 9 commits
- tr: implement dispatch payload hook · a44e82f3
  Michael Schurter authored 6 years ago
```
Now passing the TaskDir struct to prestart hooks instead of just the
root task dir itself as dispatch needs local/.
```
  a44e82f3
- client: begin driver plugin integration · d335a828
  Nick Ethier authored 6 years ago
```
client: fingerprint driver plugins
```
  d335a828
- allocrunnerv2 -> allocrunner · 3a492bb3
  Alex Dadgar authored 6 years ago
  
  3a492bb3
- Implement alloc updates in arv2 · 7ca41a89
  Michael Schurter authored 6 years ago
```
Updates are applied asynchronously but sequentially
```
  7ca41a89
- Implement lifecycle hooks on the task runner · 80303412
  Alex Dadgar authored 6 years ago
  
  80303412
- Hook renames · 912d3613
  Alex Dadgar authored 6 years ago
  
  912d3613
- Template hook · 711d09e1
  Alex Dadgar authored 6 years ago
  
  711d09e1
- address comments · 781c4980
  Alex Dadgar authored 6 years ago
  
  781c4980
- vault hook · 427eab56
  Alex Dadgar authored 6 years ago
  
  427eab56