Vault TLS Server Name is not honoured in template rendering since 0.5.3

[stevehorsfield]

Nomad version

Nomad v0.5.5

Operating system and Environment details

CoreOS, AWS EC2.

Issue

We use:

vault {
  enabled = true
  address = "https://vault:8200"
  tls_server_name = "vault.some.name"
}

Reproduction steps

Use a job with a template stanze that requires the specification of a TLS Server Name that is different from the host address of Vault.

Nomad Server logs (if appropriate)

Alloc status:

Time                   Type        Description
07/05/17 08:03:46 UTC  Killing     Killing task: consul-template: vault.read(secret/some/path): Get https://vault:8200/v1/secret/some/path: x509: certificate is valid for vault.some.name, not vault

Nomad Client logs (if appropriate)

2017/07/05 07:11:00 [ERR] (runner) watcher reported error: vault.read(secret/some/path): Get https://vault:8200/v1/secret/some/path: x509: certificate is valid for vault.some.name, not vault

Job file (if appropriate)

Analysis

I see a regression in https://github.com/hashicorp/nomad/blob/v0.5.3/client/consul_template.go#L406 where the TLS Server Name is overwritten due to how the merging is now done. Compare with the default config produced by consul-template for Vault and you'll see that the value is overwritten. The design in 0.5.2 does not apply the same logical steps and does not create this issue.

Severity

This is blocking all upgrades of Nomad in our estate.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.