From 672fb46d12fe2666ce6b498b69bcf886bae83e0b Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Thu, 3 Nov 2022 11:10:11 -0400 Subject: [PATCH] WI: set identity to client secret if missing (#15121) Allocations created before 1.4.0 will not have a workload identity token. When the client running these allocs is upgraded to 1.4.x, the identity hook will run and replace the node secret ID token used previously with an empty string. This causes service discovery queries to fail. Fallback to the node's secret ID when the allocation doesn't have a signed identity. Note that pre-1.4.0 allocations won't have templates that read Variables, so there's no threat that this new node ID secret will be able to read data that the allocation shouldn't have access to. --- .changelog/15121.txt | 3 +++ client/allocrunner/taskrunner/identity_hook.go | 8 ++++++-- client/allocrunner/taskrunner/task_runner.go | 4 ++++ 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 .changelog/15121.txt diff --git a/.changelog/15121.txt b/.changelog/15121.txt new file mode 100644 index 000000000..a321c7b64 --- /dev/null +++ b/.changelog/15121.txt @@ -0,0 +1,3 @@ +```release-note:bug +wi: Fixed a bug where clients running pre-1.4.0 allocations would erase the token used to query service registrations after upgrade +``` diff --git a/client/allocrunner/taskrunner/identity_hook.go b/client/allocrunner/taskrunner/identity_hook.go index f318b89b2..cbbfa6ffd 100644 --- a/client/allocrunner/taskrunner/identity_hook.go +++ b/client/allocrunner/taskrunner/identity_hook.go @@ -36,7 +36,9 @@ func (h *identityHook) Prestart(ctx context.Context, req *interfaces.TaskPrestar defer h.lock.Unlock() token := h.tr.alloc.SignedIdentities[h.taskName] - h.tr.setNomadToken(token) + if token != "" { + h.tr.setNomadToken(token) + } return nil } @@ -45,6 +47,8 @@ func (h *identityHook) Update(_ context.Context, req *interfaces.TaskUpdateReque defer h.lock.Unlock() token := h.tr.alloc.SignedIdentities[h.taskName] - h.tr.setNomadToken(token) + if token != "" { + h.tr.setNomadToken(token) + } return nil } diff --git a/client/allocrunner/taskrunner/task_runner.go b/client/allocrunner/taskrunner/task_runner.go index 6f8e45c04..12f1abf26 100644 --- a/client/allocrunner/taskrunner/task_runner.go +++ b/client/allocrunner/taskrunner/task_runner.go @@ -424,6 +424,10 @@ func NewTaskRunner(config *Config) (*TaskRunner, error) { return nil, err } + // Use the client secret only as the initial value; the identity hook will + // update this with a workload identity if one is available + tr.setNomadToken(config.ClientConfig.Node.SecretID) + // Initialize the runners hooks. Must come after initDriver so hooks // can use tr.driverCapabilities tr.initHooks()