Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client: add NOMAD_LICENSE to default env deny list #11215

Merged
merged 1 commit into from
Sep 21, 2021
+21 −18
Merged

client: add NOMAD_LICENSE to default env deny list #11215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/11215.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
client: Added `NOMAD_LICENSE` to default environment variable deny list.
```
10 changes: 2 additions & 8 deletions client/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"time"

"github.com/hashicorp/nomad/client/lib/cgutil"
"github.com/hashicorp/nomad/command/agent/host"

log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/nomad/client/state"
Expand All @@ -23,14 +24,7 @@ import (
var (
// DefaultEnvDenylist is the default set of environment variables that are
// filtered when passing the environment variables of the host to a task.
// duplicated in command/agent/host, update that if this changes.
DefaultEnvDenylist = strings.Join([]string{
"CONSUL_TOKEN",
"CONSUL_HTTP_TOKEN",
"VAULT_TOKEN",
"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
"GOOGLE_APPLICATION_CREDENTIALS",
}, ",")
DefaultEnvDenylist = strings.Join(host.DefaultEnvDenyList, ",")

// DefaultUserDenylist is the default set of users that tasks are not
// allowed to run as when using a driver in "user.checked_drivers"
Expand Down
25 changes: 15 additions & 10 deletions command/agent/host/host.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,20 +87,25 @@ func environment() map[string]string {
return env
}

// DefaultEnvDenyList is the default set of environment variables that are
// filtered when passing the environment variables of the host to the task.
//
// Update https://www.nomadproject.io/docs/configuration/client#env-denylist
// whenever this is changed.
var DefaultEnvDenyList = []string{
"CONSUL_TOKEN",
"CONSUL_HTTP_TOKEN",
"VAULT_TOKEN",
"NOMAD_LICENSE",
lgfa29 marked this conversation as resolved.
Show resolved Hide resolved
"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
"GOOGLE_APPLICATION_CREDENTIALS",
}

// makeEnvRedactSet creates a set of well known environment variables that should be
// redacted in the output
func makeEnvRedactSet() map[string]struct{} {
// Duplicated from config.DefaultEnvBlacklist in order to avoid an import cycle
configDefault := []string{
"CONSUL_TOKEN",
"CONSUL_HTTP_TOKEN",
"VAULT_TOKEN",
"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
"GOOGLE_APPLICATION_CREDENTIALS",
}

set := make(map[string]struct{})
for _, e := range configDefault {
for _, e := range DefaultEnvDenyList {
set[e] = struct{}{}
}

Expand Down
1 change: 1 addition & 0 deletions website/content/docs/configuration/client.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,7 @@ see the [drivers documentation](/docs/drivers).
CONSUL_TOKEN
CONSUL_HTTP_TOKEN
VAULT_TOKEN
NOMAD_LICENSE
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
Expand Down