Update consul-template to v0.24.1 and remove deprecated vault grace

CHANGELOG.md

@@ -3,6 +3,7 @@
 IMPROVEMENTS:
 
  * consul: Added support for configuring `enable_tag_override` on service stanzas. [[GH-2057](https://github.com/hashicorp/nomad/issues/2057)]
+ * client: Updated consul-template library to v0.24.1 - added support for working with consul connect. [Deprecated vault_grace](https://nomadproject.io/guides/upgrade/upgrade-specific/#nomad-0110) [[GH-7170](https://github.com/hashicorp/nomad/pull/7170)]
 
 BUG FIXES:
 

api/jobs_test.go

@@ -402,7 +402,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 										EmbeddedTmpl: stringToPtr("FOO=bar\n"),
 										DestPath:     stringToPtr("local/file.env"),
 										Envvars:      boolToPtr(true),
-										VaultGrace:   timeToPtr(3 * time.Second),
 									},
 								},
 							},
@@ -532,7 +531,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 										LeftDelim:    stringToPtr("{{"),
 										RightDelim:   stringToPtr("}}"),
 										Envvars:      boolToPtr(false),
-										VaultGrace:   timeToPtr(15 * time.Second),
 									},
 									{
 										SourcePath:   stringToPtr(""),
@@ -545,7 +543,6 @@ func TestJobs_Canonicalize(t *testing.T) {
 										LeftDelim:    stringToPtr("{{"),
 										RightDelim:   stringToPtr("}}"),
 										Envvars:      boolToPtr(true),
-										VaultGrace:   timeToPtr(3 * time.Second),
 									},
 								},
 							},

api/tasks.go

@@ -750,9 +750,6 @@ func (tmpl *Template) Canonicalize() {
 	if tmpl.Envvars == nil {
 		tmpl.Envvars = boolToPtr(false)
 	}
-	if tmpl.VaultGrace == nil {
-		tmpl.VaultGrace = timeToPtr(15 * time.Second)
-	}
 }
 
 type Vault struct {

client/allocrunner/taskrunner/template/template.go

@@ -611,17 +611,6 @@ func newRunnerConfig(config *TaskTemplateManagerConfig,
 	}
 	conf.Templates = &flat
 
-	// Go through the templates and determine the minimum Vault grace
-	vaultGrace := time.Duration(-1)
-	for _, tmpl := range templateMapping {
-		// Initial condition
-		if vaultGrace < 0 {
-			vaultGrace = tmpl.VaultGrace
-		} else if tmpl.VaultGrace < vaultGrace {
-			vaultGrace = tmpl.VaultGrace
-		}
-	}
-
 	// Force faster retries
 	if config.retryRate != 0 {
 		rate := config.retryRate
@@ -666,7 +655,6 @@ func newRunnerConfig(config *TaskTemplateManagerConfig,
 	if cc.VaultConfig != nil && cc.VaultConfig.IsEnabled() {
 		conf.Vault.Address = &cc.VaultConfig.Addr
 		conf.Vault.Token = &config.VaultToken
-		conf.Vault.Grace = helper.TimeToPtr(vaultGrace)
 		if config.ClientConfig.VaultConfig.Namespace != "" {
 			conf.Vault.Namespace = &config.ClientConfig.VaultConfig.Namespace
 		}

client/allocrunner/taskrunner/template/template_test.go

@@ -1340,51 +1340,6 @@ func TestTaskTemplateManager_Config_ServerName(t *testing.T) {
 	}
 }
 
-// TestTaskTemplateManager_Config_VaultGrace asserts the vault_grace setting is
-// propagated to consul-template's configuration.
-func TestTaskTemplateManager_Config_VaultGrace(t *testing.T) {
-	t.Parallel()
-	assert := assert.New(t)
-	c := config.DefaultConfig()
-	c.Node = mock.Node()
-	c.VaultConfig = &sconfig.VaultConfig{
-		Enabled:       helper.BoolToPtr(true),
-		Addr:          "https://localhost/",
-		TLSServerName: "notlocalhost",
-	}
-
-	alloc := mock.Alloc()
-	config := &TaskTemplateManagerConfig{
-		ClientConfig: c,
-		VaultToken:   "token",
-
-		// Make a template that will render immediately
-		Templates: []*structs.Template{
-			{
-				EmbeddedTmpl: "bar",
-				DestPath:     "foo",
-				ChangeMode:   structs.TemplateChangeModeNoop,
-				VaultGrace:   10 * time.Second,
-			},
-			{
-				EmbeddedTmpl: "baz",
-				DestPath:     "bam",
-				ChangeMode:   structs.TemplateChangeModeNoop,
-				VaultGrace:   100 * time.Second,
-			},
-		},
-		EnvBuilder: taskenv.NewBuilder(c.Node, alloc, alloc.Job.TaskGroups[0].Tasks[0], c.Region),
-	}
-
-	ctmplMapping, err := parseTemplateConfigs(config)
-	assert.Nil(err, "Parsing Templates")
-
-	ctconf, err := newRunnerConfig(config, ctmplMapping)
-	assert.Nil(err, "Building Runner Config")
-	assert.NotNil(ctconf.Vault.Grace, "Vault Grace Pointer")
-	assert.Equal(10*time.Second, *ctconf.Vault.Grace, "Vault Grace Value")
-}
-
 // TestTaskTemplateManager_Config_VaultNamespace asserts the Vault namespace setting is
 // propagated to consul-template's configuration.
 func TestTaskTemplateManager_Config_VaultNamespace(t *testing.T) {
@@ -1413,7 +1368,6 @@ func TestTaskTemplateManager_Config_VaultNamespace(t *testing.T) {
 
 	ctconf, err := newRunnerConfig(config, ctmplMapping)
 	assert.Nil(err, "Building Runner Config")
-	assert.NotNil(ctconf.Vault.Grace, "Vault Grace Pointer")
 	assert.Equal(testNS, *ctconf.Vault.Namespace, "Vault Namespace Value")
 }
 

command/agent/job_endpoint_test.go

@@ -1706,7 +1706,6 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 								LeftDelim:    helper.StringToPtr("abc"),
 								RightDelim:   helper.StringToPtr("def"),
 								Envvars:      helper.BoolToPtr(true),
-								VaultGrace:   helper.TimeToPtr(3 * time.Second),
 							},
 						},
 						DispatchPayload: &api.DispatchPayloadConfig{
@@ -2054,7 +2053,6 @@ func TestJobs_ApiJobToStructsJob(t *testing.T) {
 								LeftDelim:    "abc",
 								RightDelim:   "def",
 								Envvars:      true,
-								VaultGrace:   3 * time.Second,
 							},
 						},
 						DispatchPayload: &structs.DispatchPayloadConfig{

jobspec/parse_task.go

@@ -359,7 +359,7 @@ func parseTemplates(result *[]*api.Template, list *ast.ObjectList) error {
 			"source",
 			"splay",
 			"env",
-			"vault_grace",
+			"vault_grace", //COMPAT(0.12) not used; emits warning in 0.11.
 		}
 		if err := helper.CheckHCLKeys(o.Val, valid); err != nil {
 			return err
@@ -374,6 +374,7 @@ func parseTemplates(result *[]*api.Template, list *ast.ObjectList) error {
 			ChangeMode: helper.StringToPtr("restart"),
 			Splay:      helper.TimeToPtr(5 * time.Second),
 			Perms:      helper.StringToPtr("0644"),
+			VaultGrace: helper.TimeToPtr(0),
 		}
 
 		dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{

jobspec/parse_test.go

@@ -320,7 +320,6 @@ func TestParse(t *testing.T) {
 										Splay:        helper.TimeToPtr(10 * time.Second),
 										Perms:        helper.StringToPtr("0644"),
 										Envvars:      helper.BoolToPtr(true),
-										VaultGrace:   helper.TimeToPtr(33 * time.Second),
 									},
 									{
 										SourcePath: helper.StringToPtr("bar"),

jobspec/test-fixtures/service-enable-tag-override.hcl

@@ -1,9 +1,10 @@
 job "service_eto" {
   type = "service"
+
   group "group" {
     task "task" {
       service {
-        name = "example"
+        name                = "example"
         enable_tag_override = true
       }
     }

jobspec/test-fixtures/tg-service-enable-tag-override.hcl

@@ -1,7 +1,7 @@
 job "group_service_eto" {
   group "group" {
     service {
-      name = "example"
+      name                = "example"
       enable_tag_override = true
     }
   }

nomad/structs/diff_test.go

@@ -5666,7 +5666,6 @@ func TestTaskDiff(t *testing.T) {
 						ChangeSignal: "SIGHUP",
 						Splay:        1,
 						Perms:        "0644",
-						VaultGrace:   3 * time.Second,
 					},
 					{
 						SourcePath:   "foo2",
@@ -5677,7 +5676,6 @@ func TestTaskDiff(t *testing.T) {
 						Splay:        2,
 						Perms:        "0666",
 						Envvars:      true,
-						VaultGrace:   5 * time.Second,
 					},
 				},
 			},
@@ -5691,7 +5689,6 @@ func TestTaskDiff(t *testing.T) {
 						ChangeSignal: "SIGHUP",
 						Splay:        1,
 						Perms:        "0644",
-						VaultGrace:   3 * time.Second,
 					},
 					{
 						SourcePath:   "foo3",
@@ -5701,7 +5698,6 @@ func TestTaskDiff(t *testing.T) {
 						ChangeSignal: "SIGHUP3",
 						Splay:        3,
 						Perms:        "0776",
-						VaultGrace:   10 * time.Second,
 					},
 				},
 			},
@@ -5760,12 +5756,6 @@ func TestTaskDiff(t *testing.T) {
 								Old:  "",
 								New:  "3",
 							},
-							{
-								Type: DiffTypeAdded,
-								Name: "VaultGrace",
-								Old:  "",
-								New:  "10000000000",
-							},
 						},
 					},
 					{
@@ -5820,12 +5810,6 @@ func TestTaskDiff(t *testing.T) {
 								Old:  "2",
 								New:  "",
 							},
-							{
-								Type: DiffTypeDeleted,
-								Name: "VaultGrace",
-								Old:  "5000000000",
-								New:  "",
-							},
 						},
 					},
 				},

nomad/structs/structs.go

@@ -5829,6 +5829,24 @@ func (t *Task) Warnings() error {
 		mErr.Errors = append(mErr.Errors, fmt.Errorf("IOPS has been deprecated as of Nomad 0.9.0. Please remove IOPS from resource stanza."))
 	}
 
+	for idx, tmpl := range t.Templates {
+		if err := tmpl.Warnings(); err != nil {
+			err = multierror.Prefix(err, fmt.Sprintf("Template[%d]", idx))
+			mErr.Errors = append(mErr.Errors, err)
+		}
+	}
+
+	return mErr.ErrorOrNil()
+}
+
+func (t *Template) Warnings() error {
+	var mErr multierror.Error
+
+	// Deprecation notice for vault_grace
+	if t.VaultGrace > 0 {
+		mErr.Errors = append(mErr.Errors, fmt.Errorf("VaultGrace has been deprecated as of Nomad 0.11 and ignored since Vault 0.5. Please remove VaultGrace / vault_grace from template stanza."))
+	}
+
 	return mErr.ErrorOrNil()
 }
 
@@ -5964,6 +5982,7 @@ type Template struct {
 	// VaultGrace is the grace duration between lease renewal and reacquiring a
 	// secret. If the lease of a secret is less than the grace, a new secret is
 	// acquired.
+	// COMPAT(0.12) VaultGrace has been ignored by Vault since Vault v0.5.
 	VaultGrace time.Duration
 }
 
@@ -6038,10 +6057,6 @@ func (t *Template) Validate() error {
 		}
 	}
 
-	if t.VaultGrace.Nanoseconds() < 0 {
-		multierror.Append(&mErr, fmt.Errorf("Vault grace must be greater than zero: %v < 0", t.VaultGrace))
-	}
-
 	return mErr.ErrorOrNil()
 }