cli: forward request for job validation to nomad leader #14065
Conversation
shoenig
force-pushed
the
b-fwd-vtoken-validation
branch
from
b7faa80
to
1dc771f
Compare
There was a problem hiding this comment.
LGTM! I think the issue number in the PR message is wrong, it seems like it was supposed to be #13940.
This paragraph in docs could use some updating as well, I don't think that is even true anymore? 😅
| func (j *Job) Validate(args *structs.JobValidateRequest, reply *structs.JobValidateResponse) error { | ||
| if done, err := j.srv.forward("Job.Validate", args, args, reply); done { | ||
| return err |
There was a problem hiding this comment.
I don't think request allows for stale right? But if we would were to allow validation without forwarding (like a local check) we could downgrade Vault validation errors to warnings. But since (I think?) stale requests are not allowed here we're probably good as it is.
There was a problem hiding this comment.
Nope! The JobValidateRequest rpc embeds a WriteRequest, which has no notion of stale
This PR changes the behavior of 'nomad job validate' to forward the request to the nomad leader, rather than responding from any server. This is because we need the leader when validating Vault tokens, since the leader is the only server with an active vault client.
shoenig
force-pushed
the
b-fwd-vtoken-validation
branch
from
1dc771f
to
7b46524
Compare
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
This PR changes the behavior of 'nomad job validate' to forward the
request to the nomad leader, rather than responding from any server.
This is because we need the leader when validating Vault tokens, since
the leader is the only server with an active vault client.
Closes #13940