Feature request: nested template interpolation

[issacg]

Not sure how simple this would be, but if it's relatively low-hanging, then it would be nifty to allow nested interpolation of variables.

For example, if I want to ask Vault to issue a certificate for a job running which includes an IP alternative name (SAN), I'd want to query that from ${attr.unique.network.ip-address} and doing something like this:

    template {
         data = "{{ with secret \"pki/issue/role\" \"common_name=some.service.dc1.consul\" \"alt_names=some.service.consul\" \"ip_sans=${attr.unique.network.ip-address}\" \"ttl=168h\" }}{{ .Data.certificate }}\n{{ .Data.ca_chain }}{{ end }}"
         destination = "secrets/client.crt"
         change_mode = "restart"
      }
    template {
         data = "{{ with secret \"pki/issue/role\" \"common_name=some.service.dc1.consul\" \"alt_names=some.service.consul\" \"ip_sans=${attr.unique.network.ip-address}\" \"ttl=168h\" }}{{ .Data.private_key }}{{ end }}"
         destination = "secrets/client.key"
      }

[dadgar]

Hey Isaac,

This should be possible with any recent version of Nomad: https://www.nomadproject.io/docs/job-specification/template.html#node-variables

[issacg]

Well, either I'm brain dead, or it's a bug :(

Nomad version

0.7.0

Operating system and Environment details

Linux 4.9.59-v7+ #1047 SMP Sun Oct 29 12:19:23 GMT 2017 armv7l GNU/Linux

Issue

Nested interpolation not working

Reproduction steps

Connect Nomad to Vault with a PKI backend with a role "role"

{
    "allow_any_name": true,
    "allow_bare_domains": false,
    "allow_base_domain": false,
    "allow_ip_sans": true,
    "allow_localhost": true,
    "allow_subdomains": false,
    "allow_token_displayname": false,
    "allowed_domains": "",
    "client_flag": true,
    "code_signing_flag": false,
    "email_protection_flag": false,
    "enforce_hostnames": true,
    "key_bits": 2048,
    "key_type": "rsa",
    "key_usage": "DigitalSignature,KeyAgreement,KeyEncipherment",
    "max_ttl": "8760h0m0s",
    "ou": "",
    "server_flag": true,
    "ttl": "768h0m0s",
    "use_csr_common_name": true
}

Create a nomad job with the following template

    template {
         data = "{{ with secret \"pki/issue/role\" \"common_name=some.service.dc1.consul\" \"alt_names=some.service.consul\" \"ip_sans=${attr.unique.network.ip-address}\" \"ttl=168h\" }}{{ .Data.certificate }}\n{{ .Data.ca_chain }}{{ end }}"
         destination = "secrets/client.crt"
         change_mode = "restart"
      }
    template {
         data = "{{ with secret \"pki/issue/role\" \"common_name=some.service.dc1.consul\" \"alt_names=some.service.consul\" \"ip_sans=${attr.unique.network.ip-address}\" \"ttl=168h\" }}{{ .Data.private_key }}{{ end }}"
         destination = "secrets/client.key"
      }

Without the \"ip_sans=${attr.unique.network.ip-address}\", the above snippet works as expected

Nomad Server logs (if appropriate)

Nov 14 14:36:53 pi2 nomad[23000]:     2017/11/14 14:36:53 [WARN] (view) vault.write(pki/issue/role-> 6bxxxx96): vault.write(pki/issue/role-> 6bxxxx96): Error making API request.
Nov 14 14:36:53 pi2 nomad[23000]: URL: PUT https://192.168.3.1:8200/v1/pki/issue/role
Nov 14 14:36:53 pi2 nomad[23000]: Code: 400. Errors:
Nov 14 14:36:53 pi2 nomad[23000]: * the value '${attr.unique.network.ip-address}' is not a valid IP address (retry attempt 7 after "16s")
Nov 14 14:36:53 pi2 nomad[23000]: (view) vault.write(pki/issue/role-> 6bxxxx96): vault.write(pki/issue/role-> 6bxxxx96): Error making API request.#012#012URL: PUT https://192.168.3.1:8200/v1/pki/issue/role #012Code: 400. Errors:#012#012* the value '${attr.unique.network.ip-address}' is not a valid IP address (retry attempt 7 after "16s")

[issacg]

Hmm, I was kinda hoping that commenting would re-open. I'll open another issue for the report

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.