Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

e2e: Migrate legacy Vault token based workflow to workload ID #25139

Merged
merged 3 commits into from
Feb 20, 2025
Merged

e2e: Migrate legacy Vault token based workflow to workload ID #25139

merged 3 commits into from
Feb 20, 2025
+314 −210

Conversation

jrasell
Copy link
Member

@jrasell jrasell commented Feb 18, 2025
edited
Loading

Description

The Nomad e2e cluster was using the legacy Vault token based workflow for initial cluster build. This change migrates to using the workload identity flow which utilizes authentication methods, roles, and policies.

The Nomad server network has been modified to allow traffic from the HCP Vault HVN which is a private network peered into our AWS account. This is required, so that Vault can pull JWKS information from the Nomad API without going over the public internet.

The cluster build will now also configure a Vault KV v2 mount at a unique identifier for the e2e cluster. This allows all Nomad workloads and tests to use this if required.

The vaultsecrets suite has been updated to accommodate the new changes and extended to test the default workload ID flow for allocations which use Vault for secrets.

The change also removes the legacy Vault compatibility tests. These will not exist on the 1.10.0/main branches but will do backport branches, so will be triggered on backports PRs and merges.

Testing & Reproduction steps

Run a personal e2e cluster and trigger tests as desired.

Links

Jira: https://hashicorp.atlassian.net/browse/NET-10260

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad website documentation to reflect this. Refer to
    the website README for docs guidelines. Please also consider whether the
    change requires notes within the upgrade guide.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.

@jrasell jrasell self-assigned this Feb 18, 2025
@jrasell
e2e: Remove legacy token based Vault compatibility tests.
1ec185e 
Nomad 1.10.0 is removing the legacy Vault token based workflow
which means the legacy e2e compatibility tests will fail and not
work.
@jrasell
e2e: Migrate e2e cluster to use Vault workload identity flow.
1bd3ef6 
The Nomad e2e cluster was using the legacy Vault token based
workflow for initial cluster build. This change migrates to using
the workload identity flow which utilizes authentication methods,
roles, and policies.

The Nomad server network has been modified to allow traffic from
the HCP Vault HVN which is a private network peered into our AWS
account. This is required, so that Vault can pull JWKS
information from the Nomad API without going over the public
internet.

The cluster build will now also configure a Vault KV v2 mount at
a unique indentifier for the e2e cluster. This allows all Nomad
workloads and tests to use this if required.

The vaultsecrets suite has been updated to accommodate the new
changes and extended to test the default workload ID flow for
allocations which use Vault for secrets.
@jrasell jrasell force-pushed the f-NET-10260-vault-e2e branch from c0a84fe to 1bd3ef6 Compare February 18, 2025 11:48
@jrasell jrasell marked this pull request as ready for review February 18, 2025 12:19
@jrasell jrasell requested review from a team as code owners February 18, 2025 12:19
@jrasell jrasell mentioned this pull request Feb 19, 2025
Draft
6 tasks
tgross
tgross previously approved these changes Feb 19, 2025
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jrasell jrasell requested a review from tgross February 20, 2025 11:33
tgross
tgross approved these changes Feb 20, 2025
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@jrasell jrasell merged commit 8bce0b0 into main Feb 20, 2025
30 checks passed
@jrasell jrasell deleted the f-NET-10260-vault-e2e branch February 20, 2025 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgross tgross tgross approved these changes

@Juanadelacuesta Juanadelacuesta Awaiting requested review from Juanadelacuesta

@gulducat gulducat Awaiting requested review from gulducat

@mismithhisler mismithhisler Awaiting requested review from mismithhisler

Assignees

@jrasell jrasell

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jrasell @tgross