-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
identity: version check multiple and implicit identities #18926
Conversation
Job submitters cannot set multiple identities prior to Nomad 1.7, and cluster administrators should not set the identity configurations for their `consul` and `vault` configuration blocks until all servers have been upgraded. Validate these cases during job submission so as to prevent state store corruption when jobs are submitting in the middle of a cluster upgrade.
7d1bddd
to
8b4ed26
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I think this is a great way to protect against truly wacky behavior in mixed version settings.
An implicit constraint on the client being >= 1.7.0 would be useful too.
if v.srv == nil || v.srv.serf == nil { | ||
return true // handle tests w/o real servers safely | ||
} | ||
return ServersMeetMinimumVersion( | ||
v.srv.Members(), v.srv.Region(), minVersionMultiIdentities, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice if ServersMeetMinimumVersion was a struct that wrapped up Members()
and Region()
and only provided a simple Meets(version, checkFailed)
interface for us to mock/stub out in tests.
nbd though, nothing to block this work on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've opened #18931 to follow-up on that when I have a few minutes.
67502f6
to
91be7e3
Compare
91be7e3
to
486b2b9
Compare
Agreed. I'll follow-up with that in a separate PR. |
Follow-up for the client version check in #18932 |
…8926) Job submitters cannot set multiple identities prior to Nomad 1.7, and cluster administrators should not set the identity configurations for their `consul` and `vault` configuration blocks until all servers have been upgraded. Validate these cases during job submission so as to prevent state store corruption when jobs are submitting in the middle of a cluster upgrade.
…8926) Job submitters cannot set multiple identities prior to Nomad 1.7, and cluster administrators should not set the identity configurations for their `consul` and `vault` configuration blocks until all servers have been upgraded. Validate these cases during job submission so as to prevent state store corruption when jobs are submitting in the middle of a cluster upgrade.
Job submitters cannot set multiple identities prior to Nomad 1.7, and cluster administrators should not set the identity configurations for their
consul
andvault
configuration blocks until all servers have been upgraded. Validate these cases during job submission so as to prevent state store corruption when jobs are submitting in the middle of a cluster upgrade.