Closed the-nando closed 2 days ago
@the-nando can you confirm that the job itself still has the right Vault namespace? i.e. if you run nomad job inspect
?
Otherwise, your note that "A Nomad restart on the client "fixes" the problem" leads me to think this is a problem in the client. Because a Vault API client is expensive to set up because of TLS, we reuse it between operations. But we have logic that's supposed to reset the namespace and token (ref vaultclient.go#L252-L261
)
When you do a job inspect there’s no namespace set. It’s indeed an issue on the client, the only way to fix it is by restarting the agent.
Hi @the-nando! I'm picking this up and fortunately/unfortunately was able to reproduce this with a very simple unit test. I'll have a fix up shortly.
Nomad version
Issue
I've run into an odd issue which I'm trying to make sense of, hopefully someone can help.
If I submit a job with a namespace set in the Vault stanza which fails to deploy, for instance because the role specified doesn't exist, the value of the namespace seems to persist across job versions, i.e. I'm unable to set
namespace = ""
. Interestingly enough the value seems to persist even across job purges.Reproduction steps
Run the following job:
Error in the client logs as expected, since the role doesn't exist:
Update the job spec and resubmit the job:
Error as expected:
Stop and purge the job:
Update the job spec and re-submit:
Error:
Where does
Namespace: foobar
come from? A Nomad restart on the client "fixes" the problem.Nomad client config: