vault: ignore allow_unauthenticated config if identity is set (#19585)

When the server's `vault` block has a default identity, we don't check the user's Vault token (and in fact, we warn them on job submit if they've provided one). But the validation hook still checks for a token if `allow_unauthenticated` is set to true. This is a misconfiguration but there's no reason for Nomad not to do the expected thing here. Fixes: #19565
hashicorp · Jan 2, 2024 · 43ac13f · 43ac13f
1 parent 83b9392
commit 43ac13f
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/.changelog/19585.txt b/.changelog/19585.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+vault: Fixed a bug where `allow_unauthenticated` was enforced when a `default_identity` was set
+```
diff --git a/nomad/job_endpoint_hook_vault.go b/nomad/job_endpoint_hook_vault.go
@@ -38,7 +38,7 @@ func (h jobVaultHook) Validate(job *structs.Job) ([]error, error) {
 				return nil, fmt.Errorf("Vault %q not enabled but used in the job",
 					vaultBlock.Cluster)
 			}
-			if !vconf.AllowsUnauthenticated() {
+			if vconf.DefaultIdentity == nil && !vconf.AllowsUnauthenticated() {
 				requiresToken = true
 			}
 		}

diff --git a/nomad/job_endpoint_hook_vault_ce_test.go b/nomad/job_endpoint_hook_vault_ce_test.go
@@ -10,8 +10,10 @@ import (
 	"testing"
 
 	"github.com/hashicorp/nomad/ci"
+	"github.com/hashicorp/nomad/helper/pointer"
 	"github.com/hashicorp/nomad/nomad/mock"
 	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/hashicorp/nomad/nomad/structs/config"
 	"github.com/hashicorp/nomad/testutil"
 	"github.com/shoenig/test/must"
 )
@@ -21,6 +23,12 @@ func TestJobEndpointHook_VaultCE(t *testing.T) {
 
 	srv, cleanup := TestServer(t, func(c *Config) {
 		c.NumSchedulers = 0
+		c.VaultConfigs[structs.VaultDefaultCluster].Enabled = pointer.Of(true)
+		c.VaultConfigs[structs.VaultDefaultCluster].AllowUnauthenticated = pointer.Of(false)
+		c.VaultConfigs[structs.VaultDefaultCluster].DefaultIdentity = &config.WorkloadIdentityConfig{
+			Name:     "vault_default",
+			Audience: []string{"vault.io"},
+		}
 	})
 	t.Cleanup(cleanup)
 	testutil.WaitForLeader(t, srv.RPC)
@@ -44,4 +52,9 @@ func TestJobEndpointHook_VaultCE(t *testing.T) {
 	err = hook.validateClustersForNamespace(job, job.Vault())
 	must.EqError(t, err, "non-default Vault cluster requires Nomad Enterprise")
 
+	job = mock.Job()
+	job.TaskGroups[0].Tasks[0].Vault = &structs.Vault{Cluster: structs.VaultDefaultCluster}
+	warnings, err := hook.Validate(job)
+	must.Len(t, 0, warnings)
+	must.NoError(t, err)
 }
diff --git a/website/content/docs/configuration/vault.mdx b/website/content/docs/configuration/vault.mdx
@@ -140,7 +140,8 @@ agents with [`server.enabled`] set to `true`.
   Specifies the default workload identity configuration to use when a task with
   a `vault` block does not specify an [`identity`][jobspec_identity] block
   named `vault_<name>`, where `<name>` matches the value of this `vault` block
-  [`name`](#name) parameter.
+  [`name`](#name) parameter. Setting a default identity causes the value of
+  `allow_unauthenticated` to be ignored.
 
 ### Deprecated Parameters