Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nested interpolation not working #3549

Closed
issacg opened this issue Nov 14, 2017 · 5 comments
Closed

Nested interpolation not working #3549

issacg opened this issue Nov 14, 2017 · 5 comments

Comments

@issacg
Copy link

issacg commented Nov 14, 2017

Nomad version

0.7.0

Operating system and Environment details

Linux 4.9.59-v7+ #1047 SMP Sun Oct 29 12:19:23 GMT 2017 armv7l GNU/Linux

Issue

Nested interpolation not working

Reproduction steps

Connect Nomad to Vault with a PKI backend with a role "role"

{
    "allow_any_name": true,
    "allow_bare_domains": false,
    "allow_base_domain": false,
    "allow_ip_sans": true,
    "allow_localhost": true,
    "allow_subdomains": false,
    "allow_token_displayname": false,
    "allowed_domains": "",
    "client_flag": true,
    "code_signing_flag": false,
    "email_protection_flag": false,
    "enforce_hostnames": true,
    "key_bits": 2048,
    "key_type": "rsa",
    "key_usage": "DigitalSignature,KeyAgreement,KeyEncipherment",
    "max_ttl": "8760h0m0s",
    "ou": "",
    "server_flag": true,
    "ttl": "768h0m0s",
    "use_csr_common_name": true
}

Create a nomad job with the following template

    template {
         data = "{{ with secret \"pki/issue/role\" \"common_name=some.service.dc1.consul\" \"alt_names=some.service.consul\" \"ip_sans=${attr.unique.network.ip-address}\" \"ttl=168h\" }}{{ .Data.certificate }}\n{{ .Data.ca_chain }}{{ end }}"
         destination = "secrets/client.crt"
         change_mode = "restart"
      }
    template {
         data = "{{ with secret \"pki/issue/role\" \"common_name=some.service.dc1.consul\" \"alt_names=some.service.consul\" \"ip_sans=${attr.unique.network.ip-address}\" \"ttl=168h\" }}{{ .Data.private_key }}{{ end }}"
         destination = "secrets/client.key"
      }

Without the \"ip_sans=${attr.unique.network.ip-address}\", the above snippet works as expected

Nomad Server logs (if appropriate)

Nov 14 14:36:53 pi2 nomad[23000]:     2017/11/14 14:36:53 [WARN] (view) vault.write(pki/issue/role-> 6bxxxx96): vault.write(pki/issue/role-> 6bxxxx96): Error making API request.
Nov 14 14:36:53 pi2 nomad[23000]: URL: PUT https://192.168.3.1:8200/v1/pki/issue/role
Nov 14 14:36:53 pi2 nomad[23000]: Code: 400. Errors:
Nov 14 14:36:53 pi2 nomad[23000]: * the value '${attr.unique.network.ip-address}' is not a valid IP address (retry attempt 7 after "16s")
Nov 14 14:36:53 pi2 nomad[23000]: (view) vault.write(pki/issue/role-> 6bxxxx96): vault.write(pki/issue/role-> 6bxxxx96): Error making API request.#012#012URL: PUT https://192.168.3.1:8200/v1/pki/issue/role #012Code: 400. Errors:#012#012* the value '${attr.unique.network.ip-address}' is not a valid IP address (retry attempt 7 after "16s")

Reference: #3534
@dadgar
Copy link
Contributor

dadgar commented Nov 14, 2017
edited
Loading

Hey you have to use the env keyword as those variables are exposed to the template as environment variables. You can see an example of this here: https://www.nomadproject.io/docs/job-specification/template.html#node-variables

E.g. ${env "attr.unique.network.ip-address"}

I am going to close this but if it doesn't work for you we can reopen!

@dadgar dadgar closed this as completed Nov 14, 2017
@issacg
Copy link
Author

issacg commented Nov 16, 2017
edited
Loading

It did indeed work.

It was a PITA to debug as there's no way to tell when in the templates there are bugs, but I eventually came up with this:

      template {
         data =<<EOH
{{ with secret "pki/issue/role" "common_name=some.service.dc1.consul" "alt_names=some.service.consul" (env "attr.unique.network.ip-address" | printf  "ip_sans=%s") "ttl=168h" }}{{ .Data.certificate }}
{{ .Data.ca_chain }}{{ end }}
EOH
         destination = "secrets/client.crt"
         change_mode = "restart"
      }
...

@andkuzmich
Copy link

andkuzmich commented Sep 1, 2018
edited
Loading

How did you debug templates? I'm trying to pass a consul key from meta in parametrized job to template and have no idea how to do it:

template {
        data =<<EOH
         JSON_VAR_PROFILE={{ key "path/to/consul/key/"(env "NOMAD_META_INPUT" )| toJSON }}
        EOH
        destination = "local/template.env"
        env = true
      }

@g-vit
Copy link

g-vit commented Aug 12, 2019

for kv

template {
        data =<<EOH
         JSON_VAR_PROFILE={{ key (env "NOMAD_META_INPUT" ) | printf "path/to/consul/key/%s" | toJSON }}
        EOH
        destination = "local/template.env"
        env = true
      }

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dadgar @andkuzmich @issacg @g-vit