Nomad 1.9.6: Consul and Vault client fingerprints no longer reload periodically

The release announcement mentions that “Consul and Vault client fingerprints no longer reload periodically to detect config changes. They must be induced by restarting the client agent, or sending it a SIGHUP signal to reload online”.

Does that mean I need to restart the client agents regularly? If so, in what interval? Is this configurable?

Thx for your insights.

Hey there, thanks for reaching out!

Most users will be unaffected by this change. These are the conditions where you’ll need to restart (or SIGHUP signal) the client agent:

• You change the vault{} block in your Nomad client agent configuration file.
  • This is the most likely reason to restart/reload the agent, the same as other such configuration changes.
• Vault server(s) change, specifically: Vault version or its configured cluster name (or the cluster ID, but this is unlikely without a respective config change in Nomad to point to a different cluster)
  • And this only really matters if you are, for some reason, using these values in your job specification or for some other specific purpose. If this were the case, you’d probably be aware of it.

The same applies to the consul{} block in Nomad agent configuration, and some metadata retrieved via Consul API.

A primary reason for this change is to avoid a whole lot of Nomad client agents simultaneously updating Nomad servers with new Vault (or Consul) versions when Vault is updated, especially during Vault cluster upgrades, where from a Nomad client’s point of view, the Vault version may be appear to be changing back and forth. Or, if connectivity between the Nomad client and Vault is inconsistent (“flapping”). Either case could result in a stampede of fingerprint updates, prior to this change.

Thanks for the response. I wasn’t sure if that meant I need to periodically restart the clients.

And that also means if I update Vault to a newer version, I don’t have to restart all clients?