From ad90128006a2bbca8760d0a0d12aa8c34b20be27 Mon Sep 17 00:00:00 2001
From: John Eikenberry <jae@zhar.net>
Date: Wed, 15 Feb 2023 13:08:09 -0800
Subject: [PATCH] add comments on legacy parameters support

---
 agent/connect/ca/provider_vault_auth_jwt.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/agent/connect/ca/provider_vault_auth_jwt.go b/agent/connect/ca/provider_vault_auth_jwt.go
index 8f1714e7942c..4b22515c0152 100644
--- a/agent/connect/ca/provider_vault_auth_jwt.go
+++ b/agent/connect/ca/provider_vault_auth_jwt.go
@@ -21,6 +21,7 @@ func NewJwtAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, er
 	// So we only require the token file path if the token string isn't
 	// present.
 	needTokenPath := true
+	// support legacy setup that allows directly passing the `jwt`
 	if _, ok := hasJWT(params); ok {
 		needTokenPath = false
 	}
@@ -40,6 +41,7 @@ func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error
 	params := authMethod.Params
 	role := params["role"].(string)
 
+	// support legacy setup that allows directly passing the `jwt`
 	if jwt, ok := hasJWT(params); ok {
 		return map[string]any{
 			"role": role,
@@ -60,6 +62,9 @@ func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error
 	}, nil
 }
 
+// Note the `jwt` can be passed directly in the authMethod as the it's Params
+// is a freeform map in the config where they could hardcode it.
+// See comment on configureVaultAuthMethod (in ./provider_vault.go) for more.
 func hasJWT(params map[string]any) (string, bool) {
 	if jwt, ok := params["jwt"].(string); ok && strings.TrimSpace(jwt) != "" {
 		return jwt, true