Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault: honor new token_period in vault token role #6574

Merged
merged 2 commits into from
Oct 29, 2019
Merged

vault: honor new token_period in vault token role #6574

merged 2 commits into from
Oct 29, 2019

Conversation

notnoop
Copy link
Contributor

@notnoop notnoop commented Oct 28, 2019

Vault 1.2.0 deprecated period field in favor of token_period in auth
role:

  • Token store roles use new, common token fields for the values
    that overlap with other auth backends. period, explicit_max_ttl, and
    bound_cidrs will continue to work, with priority being given to the
    token_ prefixed versions of those parameters. They will also be returned
    when doing a read on the role if they were used to provide values initially;
    however, in Vault 1.4 if period or explicit_max_ttl is zero they will no
    longer be returned. (explicit_max_ttl was already not returned if empty.)
    https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#120-july-30th-2019

Here, we fix our handling and ensures that we test with latest Vault, to make it easer to detect incompatible changes like these.

Fixes #6570 .

Mahmood Ali added 2 commits October 28, 2019 09:33
vault: Support new role field token_role
321fd41 
Vault 1.2.0 deprecated `period` field in favor of `token_period` in auth
role:

>  * Token store roles use new, common token fields for the values
>    that overlap with other auth backends. `period`, `explicit_max_ttl`, and
>    `bound_cidrs` will continue to work, with priority being given to the
>    `token_` prefixed versions of those parameters. They will also be returned
>    when doing a read on the role if they were used to provide values initially;
>    however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no
>    longer be returned. (`explicit_max_ttl` was already not returned if empty.)
https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#120-july-30th-2019
Test with Vault latest, 1.2.3
008ae5b 
To ensure we test with latest with latest configuration.
@notnoop notnoop added this to the 0.10.1 milestone Oct 28, 2019
@notnoop notnoop requested a review from cgbaker October 28, 2019 13:55
@notnoop notnoop added this to Triaged in Nomad - Community Issues Triage via automation Oct 28, 2019
cgbaker
cgbaker approved these changes Oct 29, 2019
View reviewed changes
Copy link
Contributor

@cgbaker cgbaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@notnoop notnoop merged commit 6d59938 into master Oct 29, 2019
Nomad - Community Issues Triage automation moved this from Triaged to Done Oct 29, 2019
@notnoop notnoop deleted the b-gh-6570-vault-role-validation branch October 29, 2019 14:19
@preetapan preetapan modified the milestones: 0.10.1, 0.10.2 Nov 6, 2019
@notnoop notnoop mentioned this pull request Nov 12, 2019
Merged
@the-maldridge
Copy link

I got bit by this during a cluster upgrade. Short of trying to second guess the QA procedures for the HashiStack, is there something I could have done to catch this in my environment? I was somewhat surprised to discover the current release version of Nomad didn't work with a current release version of Vault when deprecation notices were heeded.

@BrandonIngalls BrandonIngalls mentioned this pull request Oct 15, 2021
Open
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@cgbaker cgbaker cgbaker approved these changes

Assignees
No one assigned
Labels
theme/vault
Projects
None yet
Milestone
0.10.2
Development

Successfully merging this pull request may close these issues.

validateRole should use the new "token_period" instead of "period"
4 participants
@notnoop @the-maldridge @cgbaker @preetapan