diff --git a/command/agent/config-test-fixtures/basic.hcl b/command/agent/config-test-fixtures/basic.hcl index 3301a837b..0059210f2 100644 --- a/command/agent/config-test-fixtures/basic.hcl +++ b/command/agent/config-test-fixtures/basic.hcl @@ -115,10 +115,10 @@ vault { task_token_ttl = "1s" enabled = false token = "12345" - tls_ca_file = "/path/to/ca/file" - tls_ca_path = "/path/to/ca" - tls_cert_file = "/path/to/cert/file" - tls_key_file = "/path/to/key/file" + ca_file = "/path/to/ca/file" + ca_path = "/path/to/ca" + cert_file = "/path/to/cert/file" + key_file = "/path/to/key/file" tls_server_name = "foobar" tls_skip_verify = true } diff --git a/command/agent/config_parse.go b/command/agent/config_parse.go index 6f8bbc4a7..701c9bfa0 100644 --- a/command/agent/config_parse.go +++ b/command/agent/config_parse.go @@ -704,10 +704,10 @@ func parseVaultConfig(result **config.VaultConfig, list *ast.ObjectList) error { "allow_unauthenticated", "enabled", "task_token_ttl", - "tls_ca_file", - "tls_ca_path", - "tls_cert_file", - "tls_key_file", + "ca_file", + "ca_path", + "cert_file", + "key_file", "tls_server_name", "tls_skip_verify", "token", diff --git a/nomad/structs/config/vault.go b/nomad/structs/config/vault.go index 2ad10c4e9..a958661c6 100644 --- a/nomad/structs/config/vault.go +++ b/nomad/structs/config/vault.go @@ -50,17 +50,17 @@ type VaultConfig struct { // TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the // Vault server SSL certificate. - TLSCaFile string `mapstructure:"tls_ca_file"` + TLSCaFile string `mapstructure:"ca_file"` // TLSCaFile is the path to a directory of PEM-encoded CA cert files to // verify the Vault server SSL certificate. - TLSCaPath string `mapstructure:"tls_ca_path"` + TLSCaPath string `mapstructure:"ca_path"` // TLSCertFile is the path to the certificate for Vault communication - TLSCertFile string `mapstructure:"tls_cert_file"` + TLSCertFile string `mapstructure:"cert_file"` // TLSKeyFile is the path to the private key for Vault communication - TLSKeyFile string `mapstructure:"tls_key_file"` + TLSKeyFile string `mapstructure:"key_file"` // TLSSkipVerify enables or disables SSL verification TLSSkipVerify *bool `mapstructure:"tls_skip_verify"` @@ -75,6 +75,9 @@ func DefaultVaultConfig() *VaultConfig { return &VaultConfig{ Addr: "https://vault.service.consul:8200", ConnectionRetryIntv: DefaultVaultConnectRetryIntv, + AllowUnauthenticated: func(b bool) *bool { + return &b + }(true), } } diff --git a/website/source/docs/agent/configuration/vault.html.md b/website/source/docs/agent/configuration/vault.html.md index 2a5e6fd67..90dd271c7 100644 --- a/website/source/docs/agent/configuration/vault.html.md +++ b/website/source/docs/agent/configuration/vault.html.md @@ -39,11 +39,10 @@ vault { given in the format `protocol://host:port`. If your Vault installation is behind a load balancer, this should be the address of the load balancer. -- `allow_unauthenticated` `(bool: false)` - Specifies if users submitting jobs - to the Nomad server should be required to provide their own Vault token, - proving they have access to the policies listed in the job. This option should - only ever be enabled in a trusted environment, because, if enabled, users - could escalate privilege in a job. +- `allow_unauthenticated` `(bool: true)` - Specifies if users submitting jobs to + the Nomad server should be required to provide their own Vault token, proving + they have access to the policies listed in the job. This option should be + disabled in an untrusted environment. - `enabled` `(bool: false)` - Specifies if the Vault integration should be activated. @@ -51,20 +50,20 @@ vault { - `task_token_ttl` `(string: "")` - Specifies the TTL of created tokens when using a root token. This is specified using a label suffix like "30s" or "1h". -- `tls_ca_file` `(string: "")` - Specifies an optional path to the CA +- `ca_file` `(string: "")` - Specifies an optional path to the CA certificate used for Vault communication. If unspecified, this will fallback to the default system CA bundle, which varies by OS and version. -- `tls_ca_path` `(string: "")` - Specifies an optional path to a folder +- `ca_path` `(string: "")` - Specifies an optional path to a folder containing CA certificates to be used for Vault communication. If unspecified, this will fallback to the default system CA bundle, which varies by OS and version. -- `tls_cert_file` `(string: "")` - Specifies the path to the certificate used +- `cert_file` `(string: "")` - Specifies the path to the certificate used for Vault communication. If this is set then you need to also set `tls_key_file`. -- `tls_key_file` `(string: "")` - Specifies the path to the private key used for +- `key_file` `(string: "")` - Specifies the path to the private key used for Vault communication. If this is set then you need to also set `tls_cert_file`. - `tls_server_name` `(string: "")` - Specifies an optional string used to set @@ -112,9 +111,9 @@ Nomad and Vault: ```hcl vault { enabled = true - tls_ca_path = "/etc/certs/ca" - tls_cert_file = "/var/certs/vault.crt" - tls_key_file = "/var/certs/vault.key" + ca_path = "/etc/certs/ca" + cert_file = "/var/certs/vault.crt" + key_file = "/var/certs/vault.key" tls_server_name = "nomad.service.consul" } ```