Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI: flag to not require VAULT_TOKEN for nomad job validate and nomad job plan #14422

Closed
gmichalec-pandora opened this issue Aug 31, 2022 · 3 comments
Closed

CLI: flag to not require VAULT_TOKEN for nomad job validate and nomad job plan #14422

gmichalec-pandora opened this issue Aug 31, 2022 · 3 comments
Assignees
@lgfa29
Labels
stage/needs-discussion theme/cli type/enhancement

Comments

@gmichalec-pandora
Copy link

Proposal

The recent change to verify a user's vault_token against the requested policies in the job spec is breaking some of our workflows. It seems a little odd to require authentication for a non-destructive, non-privileged operation. This is particularly painful for us, because we do not federate our vault regions, and thus, we need to render and parse the job spec to identify the target region in order to know which region to authenticate to for the vault token.
I think ideally, there would be a CLI/API parameter that would disable the vault_token verification.

Use-cases

We have a UI that users use to deploy jobs - before submitting the job run, we run a plan to preview any changes. This used to be a simple API call. Now we need to refactor this feature to

  • make one API call to render the job spec (we use levant templating),
  • return the rendered spec to the client
  • parse the spec to identify the target region
  • request vault authentication for that region
  • submit the plan request with the proper vault token

Additionally, people who are not direct policy members can no longer run a verify/plan. This can make support difficult, as admins/devops cannot test renders for debugging users' issues.
@gmichalec-pandora gmichalec-pandora mentioned this issue Aug 31, 2022
Closed
@lgfa29 lgfa29 self-assigned this Sep 1, 2022
@lgfa29
Copy link
Contributor

lgfa29 commented Sep 1, 2022

Hi @gmichalec-pandora 👋

The changes brought these commands closer to the result you would get from a nomad job run execution, but I can see how it could be useful to have a way to skip this check (or maybe turn them into a warning).

I will discuss with the team on how to best implement this. Thanks for the idea 🙂

@tgross
Copy link
Member

tgross commented Jun 24, 2024

While this was probably a good idea, it's only required to support the now-deprecated Vault token workflow which we'll be removing in a near-future major version of Nomad (1.9.0, I think?). With Workload Identity, job submitters don't need a Vault token at all.

@tgross tgross closed this as not planned Won't fix, can't repro, duplicate, stale Jun 24, 2024
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lgfa29 lgfa29

Labels
stage/needs-discussion theme/cli type/enhancement
Projects
Nomad - Community Issues Triage
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lgfa29 @tgross @gmichalec-pandora