Merge pull request #7129 from hashicorp/b-consistent-ct-name

command: use consistent CONSUL_HTTP_TOKEN name
This commit is contained in:
Seth Hoenig 2020-02-12 12:27:46 -06:00 committed by GitHub
commit 2829b4cd23
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 10 additions and 5 deletions

View File

@ -37,6 +37,10 @@ BUG FIXES:
* scheduler: Fixed a bug that caused evicted allocs on a lost node to be stuck in running [[GH-6902](https://github.com/hashicorp/nomad/issues/6902)]
* scheduler: Fixed a bug where `nomad job plan/apply` returned errors instead of ignoring system job updates for ineligible nodes. [[GH-6996](https://github.com/hashicorp/nomad/issues/6996)]
SECURITY:
* client: Nomad will no longer pass through the `CONSUL_HTTP_TOKEN` environment variable when launching a task. [[GH-7131](https://github.com/hashicorp/nomad/issues/7131)]
## 0.10.3 (January 29, 2020)
SECURITY:

View File

@ -23,6 +23,7 @@ var (
// filtered when passing the environment variables of the host to a task.
DefaultEnvBlacklist = strings.Join([]string{
"CONSUL_TOKEN",
"CONSUL_HTTP_TOKEN",
"VAULT_TOKEN",
"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
"GOOGLE_APPLICATION_CREDENTIALS",

View File

@ -113,7 +113,7 @@ func (c *JobRevertCommand) Run(args []string) int {
// Parse the Consul token
if consulToken == "" {
// Check the environment variable
consulToken = os.Getenv("CONSUL_TOKEN")
consulToken = os.Getenv("CONSUL_HTTP_TOKEN")
}
// Parse the Vault token

View File

@ -54,7 +54,7 @@ Alias: nomad run
The run command will set the consul_token of the job based on the following
precedence, going from highest to lowest: the -consul-token flag, the
$CONSUL_TOKEN environment variable and finally the value in the job file.
$CONSUL_HTTP_TOKEN environment variable and finally the value in the job file.
The run command will set the vault_token of the job based on the following
precedence, going from highest to lowest: the -vault-token flag, the
@ -89,7 +89,7 @@ Run Options:
-consul-token
If set, the passed Consul token is stored in the job before sending to the
Nomad servers. This allows passing the Consul token without storing it in
the job file. This overrides the token found in $CONSUL_TOKEN environment
the job file. This overrides the token found in $CONSUL_HTTP_TOKEN environment
variable and that found in the job.
-vault-token
@ -190,7 +190,7 @@ func (c *JobRunCommand) Run(args []string) int {
// Parse the Consul token
if consulToken == "" {
// Check the environment variable
consulToken = os.Getenv("CONSUL_TOKEN")
consulToken = os.Getenv("CONSUL_HTTP_TOKEN")
}
if consulToken != "" {

View File

@ -145,7 +145,7 @@ func DefaultConsulConfig() *ConsulConfig {
// creation of Consul Service Identity tokens for Consul Connect enabled Tasks.
//
// If allow_unauthenticated is false, the operator must provide a token on
// job submission (i.e. -consul-token or $CONSUL_TOKEN).
// job submission (i.e. -consul-token or $CONSUL_HTTP_TOKEN).
func (c *ConsulConfig) AllowsUnauthenticated() bool {
return c.AllowUnauthenticated != nil && *c.AllowUnauthenticated
}