luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity

Merge pull request #1931 from hashicorp/rename-vault-config

Browse source 
Rename vault config
This commit is contained in:
Diptanu Choudhury 2016-11-06 10:14:25 -08:00 committed by GitHub
parent 960424f086 d1345b9294
commit 15f085a4d7
4 changed files with 26 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
command/agent/config-test-fixtures/basic.hcl
View file

@ -115,10 +115,10 @@ vault {
task_token_ttl = "1s" task_token_ttl = "1s"
enabled = false enabled = false
token = "12345" token = "12345"
tls_ca_file = "/path/to/ca/file" ca_file = "/path/to/ca/file"
tls_ca_path = "/path/to/ca" ca_path = "/path/to/ca"
tls_cert_file = "/path/to/cert/file" cert_file = "/path/to/cert/file"
tls_key_file = "/path/to/key/file" key_file = "/path/to/key/file"
tls_server_name = "foobar" tls_server_name = "foobar"
tls_skip_verify = true tls_skip_verify = true
} }

8
command/agent/config_parse.go
View file

@ -704,10 +704,10 @@ func parseVaultConfig(result **config.VaultConfig, list *ast.ObjectList) error {
"allow_unauthenticated", "allow_unauthenticated",
"enabled", "enabled",
"task_token_ttl", "task_token_ttl",
"tls_ca_file", "ca_file",
"tls_ca_path", "ca_path",
"tls_cert_file", "cert_file",
"tls_key_file", "key_file",
"tls_server_name", "tls_server_name",
"tls_skip_verify", "tls_skip_verify",
"token", "token",

11
nomad/structs/config/vault.go
View file

@ -50,17 +50,17 @@ type VaultConfig struct {
// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the // TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
// Vault server SSL certificate. // Vault server SSL certificate.
TLSCaFile string `mapstructure:"tls_ca_file"` TLSCaFile string `mapstructure:"ca_file"`
// TLSCaFile is the path to a directory of PEM-encoded CA cert files to // TLSCaFile is the path to a directory of PEM-encoded CA cert files to
// verify the Vault server SSL certificate. // verify the Vault server SSL certificate.
TLSCaPath string `mapstructure:"tls_ca_path"` TLSCaPath string `mapstructure:"ca_path"`
// TLSCertFile is the path to the certificate for Vault communication // TLSCertFile is the path to the certificate for Vault communication
TLSCertFile string `mapstructure:"tls_cert_file"` TLSCertFile string `mapstructure:"cert_file"`
// TLSKeyFile is the path to the private key for Vault communication // TLSKeyFile is the path to the private key for Vault communication
TLSKeyFile string `mapstructure:"tls_key_file"` TLSKeyFile string `mapstructure:"key_file"`
// TLSSkipVerify enables or disables SSL verification // TLSSkipVerify enables or disables SSL verification
TLSSkipVerify *bool `mapstructure:"tls_skip_verify"` TLSSkipVerify *bool `mapstructure:"tls_skip_verify"`
@ -75,6 +75,9 @@ func DefaultVaultConfig() *VaultConfig {
return &VaultConfig{ return &VaultConfig{
Addr: "https://vault.service.consul:8200", Addr: "https://vault.service.consul:8200",
ConnectionRetryIntv: DefaultVaultConnectRetryIntv, ConnectionRetryIntv: DefaultVaultConnectRetryIntv,
AllowUnauthenticated: func(b bool) *bool {
return &b
}(true),
} }
} }

23
website/source/docs/agent/configuration/vault.html.md
View file

@ -39,11 +39,10 @@ vault {
given in the format `protocol://host:port`. If your Vault installation is given in the format `protocol://host:port`. If your Vault installation is
behind a load balancer, this should be the address of the load balancer. behind a load balancer, this should be the address of the load balancer.
- `allow_unauthenticated` `(bool: false)` - Specifies if users submitting jobs - `allow_unauthenticated` `(bool: true)` - Specifies if users submitting jobs to
to the Nomad server should be required to provide their own Vault token, the Nomad server should be required to provide their own Vault token, proving
proving they have access to the policies listed in the job. This option should they have access to the policies listed in the job. This option should be
only ever be enabled in a trusted environment, because, if enabled, users disabled in an untrusted environment.
could escalate privilege in a job.
- `enabled` `(bool: false)` - Specifies if the Vault integration should be - `enabled` `(bool: false)` - Specifies if the Vault integration should be
activated. activated.
@ -51,20 +50,20 @@ vault {
- `task_token_ttl` `(string: "")` - Specifies the TTL of created tokens when - `task_token_ttl` `(string: "")` - Specifies the TTL of created tokens when
using a root token. This is specified using a label suffix like "30s" or "1h". using a root token. This is specified using a label suffix like "30s" or "1h".
- `tls_ca_file` `(string: "")` - Specifies an optional path to the CA - `ca_file` `(string: "")` - Specifies an optional path to the CA
certificate used for Vault communication. If unspecified, this will fallback certificate used for Vault communication. If unspecified, this will fallback
to the default system CA bundle, which varies by OS and version. to the default system CA bundle, which varies by OS and version.
- `tls_ca_path` `(string: "")` - Specifies an optional path to a folder - `ca_path` `(string: "")` - Specifies an optional path to a folder
containing CA certificates to be used for Vault communication. If unspecified, containing CA certificates to be used for Vault communication. If unspecified,
this will fallback to the default system CA bundle, which varies by OS and this will fallback to the default system CA bundle, which varies by OS and
version. version.
- `tls_cert_file` `(string: "")` - Specifies the path to the certificate used - `cert_file` `(string: "")` - Specifies the path to the certificate used
for Vault communication. If this is set then you need to also set for Vault communication. If this is set then you need to also set
`tls_key_file`. `tls_key_file`.
- `tls_key_file` `(string: "")` - Specifies the path to the private key used for - `key_file` `(string: "")` - Specifies the path to the private key used for
Vault communication. If this is set then you need to also set `tls_cert_file`. Vault communication. If this is set then you need to also set `tls_cert_file`.
- `tls_server_name` `(string: "")` - Specifies an optional string used to set - `tls_server_name` `(string: "")` - Specifies an optional string used to set
@ -112,9 +111,9 @@ Nomad and Vault:
```hcl ```hcl
vault { vault {
enabled = true enabled = true
tls_ca_path = "/etc/certs/ca" ca_path = "/etc/certs/ca"
tls_cert_file = "/var/certs/vault.crt" cert_file = "/var/certs/vault.crt"
tls_key_file = "/var/certs/vault.key" key_file = "/var/certs/vault.key"
tls_server_name = "nomad.service.consul" tls_server_name = "nomad.service.consul"
} }
``` ```