vault: Remove legacy token based authentication workflow.

The legacy workflow for Vault whereby servers were configured using a token to provide authentication to the Vault API has now been removed. This change also removes the workflow where servers were responsible for deriving Vault tokens for Nomad clients. The deprecated Vault config options used byi the Nomad agent have all been removed except for "token" which is still in use by the Vault Transit keyring implementation. Job specification authors can no longer use the "vault.policies" parameter and should instead use "vault.role" when not using the default workload identity.
hashicorp · Feb 19, 2025 · 13bfcb6 · 13bfcb6
1 parent 32c25d3
commit 13bfcb6
Show file tree

Hide file tree

Showing 66 changed files with 417 additions and 5,911 deletions.
diff --git a/api/jobs.go b/api/jobs.go
@@ -1103,7 +1103,6 @@ type Job struct {
 	Migrate          *MigrateStrategy        `hcl:"migrate,block"`
 	Meta             map[string]string       `hcl:"meta,block"`
 	ConsulToken      *string                 `mapstructure:"consul_token" hcl:"consul_token,optional"`
-	VaultToken       *string                 `mapstructure:"vault_token" hcl:"vault_token,optional"`
 	UI               *JobUIConfig            `hcl:"ui,block"`
 
 	/* Fields set by server, not sourced from job config file */
@@ -1179,9 +1178,6 @@ func (j *Job) Canonicalize() {
 	if j.ConsulNamespace == nil {
 		j.ConsulNamespace = pointerOf("")
 	}
-	if j.VaultToken == nil {
-		j.VaultToken = pointerOf("")
-	}
 	if j.VaultNamespace == nil {
 		j.VaultNamespace = pointerOf("")
 	}

diff --git a/api/jobs_test.go b/api/jobs_test.go
@@ -288,7 +288,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 				AllAtOnce:         pointerOf(false),
 				ConsulToken:       pointerOf(""),
 				ConsulNamespace:   pointerOf(""),
-				VaultToken:        pointerOf(""),
 				VaultNamespace:    pointerOf(""),
 				NomadTokenID:      pointerOf(""),
 				Status:            pointerOf(""),
@@ -387,7 +386,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 				AllAtOnce:         pointerOf(false),
 				ConsulToken:       pointerOf(""),
 				ConsulNamespace:   pointerOf(""),
-				VaultToken:        pointerOf(""),
 				VaultNamespace:    pointerOf(""),
 				NomadTokenID:      pointerOf(""),
 				Status:            pointerOf(""),
@@ -469,7 +467,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 				AllAtOnce:         pointerOf(false),
 				ConsulToken:       pointerOf(""),
 				ConsulNamespace:   pointerOf(""),
-				VaultToken:        pointerOf(""),
 				VaultNamespace:    pointerOf(""),
 				NomadTokenID:      pointerOf(""),
 				Stop:              pointerOf(false),
@@ -645,7 +642,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 				AllAtOnce:         pointerOf(false),
 				ConsulToken:       pointerOf(""),
 				ConsulNamespace:   pointerOf(""),
-				VaultToken:        pointerOf(""),
 				VaultNamespace:    pointerOf(""),
 				NomadTokenID:      pointerOf(""),
 				Stop:              pointerOf(false),
@@ -818,7 +814,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 				AllAtOnce:         pointerOf(false),
 				ConsulToken:       pointerOf(""),
 				ConsulNamespace:   pointerOf(""),
-				VaultToken:        pointerOf(""),
 				VaultNamespace:    pointerOf(""),
 				NomadTokenID:      pointerOf(""),
 				Stop:              pointerOf(false),
@@ -912,7 +907,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 				AllAtOnce:         pointerOf(false),
 				ConsulToken:       pointerOf(""),
 				ConsulNamespace:   pointerOf(""),
-				VaultToken:        pointerOf(""),
 				VaultNamespace:    pointerOf(""),
 				NomadTokenID:      pointerOf(""),
 				Stop:              pointerOf(false),
@@ -1096,7 +1090,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 				AllAtOnce:         pointerOf(false),
 				ConsulToken:       pointerOf(""),
 				ConsulNamespace:   pointerOf(""),
-				VaultToken:        pointerOf(""),
 				VaultNamespace:    pointerOf(""),
 				NomadTokenID:      pointerOf(""),
 				Stop:              pointerOf(false),
@@ -1275,7 +1268,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 				AllAtOnce:         pointerOf(false),
 				ConsulToken:       pointerOf(""),
 				ConsulNamespace:   pointerOf(""),
-				VaultToken:        pointerOf(""),
 				VaultNamespace:    pointerOf(""),
 				NomadTokenID:      pointerOf(""),
 				Stop:              pointerOf(false),

diff --git a/client/allocrunner/taskrunner/task_runner_linux_test.go b/client/allocrunner/taskrunner/task_runner_linux_test.go
@@ -30,19 +30,18 @@ func TestTaskRunner_DisableFileForVaultToken_UpgradePath(t *testing.T) {
 		"run_for": "0s",
 	}
 	task.Vault = &structs.Vault{
-		Cluster:  structs.VaultDefaultCluster,
-		Policies: []string{"default"},
+		Cluster: structs.VaultDefaultCluster,
 	}
 
 	// Setup a test Vault client.
 	token := "1234"
-	handler := func(*structs.Allocation, []string) (map[string]string, error) {
-		return map[string]string{task.Name: token}, nil
+	handler := func(ctx context.Context, req vaultclient.JWTLoginRequest) (string, bool, error) {
+		return token, true, nil
 	}
 	vc, err := vaultclient.NewMockVaultClient(structs.VaultDefaultCluster)
 	must.NoError(t, err)
 	vaultClient := vc.(*vaultclient.MockVaultClient)
-	vaultClient.DeriveTokenFn = handler
+	vaultClient.SetDeriveTokenWithJWTFn(handler)
 
 	conf, cleanup := testTaskRunnerConfig(t, alloc, task.Name, vaultClient)
 	defer cleanup()
@@ -75,7 +74,7 @@ func TestTaskRunner_DisableFileForVaultToken_UpgradePath(t *testing.T) {
 	must.Eq(t, structs.TaskStateDead, finalState.State)
 	must.False(t, finalState.Failed)
 
-	// Verfiry token is in secrets dir.
+	// Verify token is in secrets dir.
 	tokenPath = filepath.Join(conf.TaskDir.SecretsDir, vaultTokenFile)
 	data, err := os.ReadFile(tokenPath)
 	must.NoError(t, err)