Feature: Vault secrets in job specifications

[lnguyen]

Support of vault secrets would be great for jobs when needing to set passwords in env for docker driver

[dadgar]

This is on the roadmap btw and something we are excited about!

[lnguyen]

Awesome!

[margueritepd]

This would also be helpful for specifying the ssh key used to download git artifacts!

[schmichael]

This came up again on the mailing list recently: https://groups.google.com/d/msg/nomad-tool/W7hSJGBlmlM/6C9swWhqAAAJ

[arianvp]

I guess groundwork has been made in #1765 . It does not support vault secrets yet, but does allow specifying environment variables simiarly to the template support. Adding vault secrets to the env stanza similarly like how it works in template stanza seems like a good idea. A current workaround could be using envconsul, however, that does not work if you're using the docker or rkt driver

[schmichael]

@arianvp I'm glad you brought this issue to my attention again because it was fixed by the same PR (#2654) that fixed #1765.

In Nomad 0.6 you'll be able to create env vars in templates using all of the same facilities as normal templates.

[margueritepd]

@schmichael can you clarify how #2654 addressed the concern of this mailing list post ?

[arianvp]

I'm a bit confused though. Why does the template need a destination path when in env var mode?

[schmichael]

@arianvp Great question!

The env var implementation writes environment variables to a file in the alloc directory for a couple reasons:

1. Easier to debug - if we just rendered env vars in memory and your task couldn't start due to improperly rendered env vars it would be very difficult to debug.
2. Reuse existing template functionality - not only was I able to reuse the existing template code, but hopefully it makes it easier for users to reason about: env vars templates are just like any other template except they also get loaded into your task's environment for you.

[schmichael]

@margueritepd Sorry for the slow update! I posted to the list: https://groups.google.com/d/msg/nomad-tool/W7hSJGBlmlM/E2RLNDFwAgAJ

Sadly I was wrong and #2654 didn't address this use case as artifacts are downloaded before templates are rendered. Follow #1185 for arbitrary jobspec templating including vault secrets.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.