Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extra_claims job ID without periodic suffix for batch jobs #23798

Closed
EtienneBruines opened this issue Aug 13, 2024 · 4 comments · Fixed by #23817
Closed

extra_claims job ID without periodic suffix for batch jobs #23798

EtienneBruines opened this issue Aug 13, 2024 · 4 comments · Fixed by #23817
Assignees
@tgross
Labels
hcc/jira theme/workload-identity type/bug
Milestone
1.8.4

Comments

@EtienneBruines
Copy link
Contributor

EtienneBruines commented Aug 13, 2024
edited
Loading

Proposal

Add a vault.default_identity.extra_claims interpolation for the job ID that does not include the /periodic-1234567 suffix, the same way the nomad_job_id does not include it.

Currently ${job.id} looks something like this my-batch-job-name/periodic-1723556632 and I'd like a variable (perhaps ${job.name}?) that gives me just my-batch-job-name

Use-cases

  • Vault integration for batch jobs. Not having the periodic suffix makes it more doable to actually provide secrets/paths in the Vault policy that it can access.

Attempted Solutions

  • No workaround is available.

Currently available interpolations:

nomad/nomad/structs/workload_id.go

Lines 235 to 252 in 90d646a

r := strings.NewReplacer(
// attributes that always exist
"${job.region}", b.job.Region,
"${job.namespace}", b.job.Namespace,
"${job.id}", b.job.ID,
"${job.node_pool}", b.job.NodePool,
"${group.name}", b.tg.Name,
// attributes that conditionally exist
"${node.id}", strAttrGet(b.node, func(n *Node) string { return n.ID }),
"${node.datacenter}", strAttrGet(b.node, func(n *Node) string { return n.Datacenter }),
"${node.pool}", strAttrGet(b.node, func(n *Node) string { return n.NodePool }),
"${node.class}", strAttrGet(b.node, func(n *Node) string { return n.NodeClass }),
"${task.name}", strAttrGet(b.task, func(t *Task) string { return t.Name }),
"${vault.cluster}", strAttrGet(b.vault, func(v *Vault) string { return v.Cluster }),
"${vault.namespace}", strAttrGet(b.vault, func(v *Vault) string { return v.Namespace }),
"${vault.role}", strAttrGet(b.vault, func(v *Vault) string { return v.Role }),
)

Sorry @tgross for not realizing this when the PR was still a PR.
@tgross
Copy link
Member

tgross commented Aug 13, 2024
edited
Loading

🤦 That's embarrassing. It should use the parent job ID when available, just as we do for other job claims. Will fix.

@tgross tgross moved this from Needs Triage to Triaging in Nomad - Community Issues Triage Aug 13, 2024
@tgross tgross self-assigned this Aug 13, 2024
@tgross tgross mentioned this issue Aug 14, 2024
Merged
tgross added a commit that referenced this issue Aug 14, 2024
@tgross
WI: interpolate parent job ID in vault.default_identity.extra_claims
378d4b3 
When we interpolate job fields for the `vault.default_identity.extra_claims`
block, we forgot to use the parent job ID when that's available (as we do for
all other claims). This changeset fixes the bug and adds a helper method that'll
hopefully remind us to do this going forward.

Also added a missing changelog entry for #23675 where we implemented the
`extra_claims` block originally, which shipped in Nomad 1.8.3.

Fixes: #23798
@the-nando
Copy link
Contributor

hey @tgross I've run into this as well unfortunately, in my quest to migrate some clusters to workload identity. Do you know more or less when this bug fix will ship?

@tgross
Copy link
Member

tgross commented Sep 3, 2024
edited
Loading

I've got a PR up with the fix #23817 but I've been on PTO the last couple weeks. Planning on shipping this in the upcoming Nomad 1.8.4.

@tgross tgross moved this from Triaging to In Progress in Nomad - Community Issues Triage Sep 3, 2024
tgross added a commit that referenced this issue Sep 3, 2024
@tgross
WI: interpolate parent job ID in vault.default_identity.extra_claims
0863ab9 
When we interpolate job fields for the `vault.default_identity.extra_claims`
block, we forgot to use the parent job ID when that's available (as we do for
all other claims). This changeset fixes the bug and adds a helper method that'll
hopefully remind us to do this going forward.

Also added a missing changelog entry for #23675 where we implemented the
`extra_claims` block originally, which shipped in Nomad 1.8.3.

Fixes: #23798
@tgross tgross closed this as completed in c43e30a Sep 3, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in Nomad - Community Issues Triage Sep 3, 2024
Merged
@tgross tgross added this to the 1.8.4 milestone Sep 3, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 2, 2025

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 2, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tgross tgross

Labels
hcc/jira theme/workload-identity type/bug
Projects
Nomad - Community Issues Triage
Archived in project
Milestone
1.8.4
Development

Successfully merging a pull request may close this issue.

WI: interpolate parent job ID in vault.default_identity.extra_claims hashicorp/nomad
3 participants
@tgross @EtienneBruines @the-nando