Merge pull request #1931 from hashicorp/rename-vault-config

Rename vault config
2016-11-06 10:14:25 -08:00 · 2016-11-06 10:14:25 -08:00 · 15f085a4d7
parent 960424f086 d1345b9294
commit 15f085a4d7
4 changed files with 26 additions and 24 deletions
--- a/command/agent/config-test-fixtures/basic.hcl
+++ b/command/agent/config-test-fixtures/basic.hcl
@ -115,10 +115,10 @@ vault {
    task_token_ttl = "1s"
    enabled = false
    token = "12345"
-    tls_ca_file = "/path/to/ca/file"
-    tls_ca_path = "/path/to/ca"
-    tls_cert_file = "/path/to/cert/file"
-    tls_key_file = "/path/to/key/file"
+    ca_file = "/path/to/ca/file"
+    ca_path = "/path/to/ca"
+    cert_file = "/path/to/cert/file"
+    key_file = "/path/to/key/file"
    tls_server_name = "foobar"
    tls_skip_verify = true
 }
--- a/command/agent/config_parse.go
+++ b/command/agent/config_parse.go
@ -704,10 +704,10 @@ func parseVaultConfig(result **config.VaultConfig, list *ast.ObjectList) error {
 		"allow_unauthenticated",
 		"enabled",
 		"task_token_ttl",
-		"tls_ca_file",
-		"tls_ca_path",
-		"tls_cert_file",
-		"tls_key_file",
+		"ca_file",
+		"ca_path",
+		"cert_file",
+		"key_file",
 		"tls_server_name",
 		"tls_skip_verify",
 		"token",
--- a/nomad/structs/config/vault.go
+++ b/nomad/structs/config/vault.go
@ -50,17 +50,17 @@ type VaultConfig struct {

 	// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
 	// Vault server SSL certificate.
-	TLSCaFile string `mapstructure:"tls_ca_file"`
+	TLSCaFile string `mapstructure:"ca_file"`

 	// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
 	// verify the Vault server SSL certificate.
-	TLSCaPath string `mapstructure:"tls_ca_path"`
+	TLSCaPath string `mapstructure:"ca_path"`

 	// TLSCertFile is the path to the certificate for Vault communication
-	TLSCertFile string `mapstructure:"tls_cert_file"`
+	TLSCertFile string `mapstructure:"cert_file"`

 	// TLSKeyFile is the path to the private key for Vault communication
-	TLSKeyFile string `mapstructure:"tls_key_file"`
+	TLSKeyFile string `mapstructure:"key_file"`

 	// TLSSkipVerify enables or disables SSL verification
 	TLSSkipVerify *bool `mapstructure:"tls_skip_verify"`
@ -75,6 +75,9 @@ func DefaultVaultConfig() *VaultConfig {
 	return &VaultConfig{
 		Addr:                "https://vault.service.consul:8200",
 		ConnectionRetryIntv: DefaultVaultConnectRetryIntv,
+		AllowUnauthenticated: func(b bool) *bool {
+			return &b
+		}(true),
 	}
 }

--- a/website/source/docs/agent/configuration/vault.html.md
+++ b/website/source/docs/agent/configuration/vault.html.md
@ -39,11 +39,10 @@ vault {
  given in the format `protocol://host:port`. If your Vault installation is
  behind a load balancer, this should be the address of the load balancer.

- `allow_unauthenticated` `(bool: false)` - Specifies if users submitting jobs
-  to the Nomad server should be required to provide their own Vault token,
-  proving they have access to the policies listed in the job. This option should
-  only ever be enabled in a trusted environment, because, if enabled, users
-  could escalate privilege in a job.
+- `allow_unauthenticated` `(bool: true)` - Specifies if users submitting jobs to
+  the Nomad server should be required to provide their own Vault token, proving
+  they have access to the policies listed in the job. This option should be
+  disabled in an untrusted environment.

 - `enabled` `(bool: false)` - Specifies if the Vault integration should be
  activated.
@ -51,20 +50,20 @@ vault {
 - `task_token_ttl` `(string: "")` - Specifies the TTL of created tokens when
  using a root token. This is specified using a label suffix like "30s" or "1h".

- `tls_ca_file` `(string: "")` - Specifies an optional path to the CA
+- `ca_file` `(string: "")` - Specifies an optional path to the CA
  certificate used for Vault communication. If unspecified, this will fallback
  to the default system CA bundle, which varies by OS and version.

- `tls_ca_path` `(string: "")` - Specifies an optional path to a folder
+- `ca_path` `(string: "")` - Specifies an optional path to a folder
  containing CA certificates to be used for Vault communication. If unspecified,
  this will fallback to the default system CA bundle, which varies by OS and
  version.

- `tls_cert_file` `(string: "")` - Specifies the path to the certificate used
+- `cert_file` `(string: "")` - Specifies the path to the certificate used
  for Vault communication. If this is set then you need to also set
  `tls_key_file`.

- `tls_key_file` `(string: "")` - Specifies the path to the private key used for
+- `key_file` `(string: "")` - Specifies the path to the private key used for
  Vault communication. If this is set then you need to also set `tls_cert_file`.

 - `tls_server_name` `(string: "")` - Specifies an optional string used to set
@ -112,9 +111,9 @@ Nomad and Vault:
 ```hcl
 vault {
  enabled         = true
-  tls_ca_path     = "/etc/certs/ca"
-  tls_cert_file   = "/var/certs/vault.crt"
-  tls_key_file    = "/var/certs/vault.key"
+  ca_path     = "/etc/certs/ca"
+  cert_file   = "/var/certs/vault.crt"
+  key_file    = "/var/certs/vault.key"
  tls_server_name = "nomad.service.consul"
 }
 ```