Nomad needs to be vault integrated in order to use vault interpolations in jobs. #380
Comments
|
All that being said, the following addition to /etc/nomad.d/0_config.hcl should be sufficient to generate vault tokens and read secrets in a nomad job: |
oschistad
changed the title
|
@oschistad Does this part satisfies the requirements https://github.com/fredrikhgrelland/vagrant-hashistack/blob/master/ansible/vault_nomad_integration.yml ? |
|
@zhenik Eventually we need to use the same policies in vagrant as in the real environment, but a good start is to simply use the master token as shown above. This will tide us over nicely until such a time as we have a working least required privilege policy for Nomad, which is likely to be a few weeks out. |
|
@oschistad Sorry for the misunderstanding, it relates to https://www.nomadproject.io/docs/integrations/vault-integration |
zhenik
added
type/documentation
Vagrant-hashistack needs to be a good simulacrum of the runtime environment in production, and this includes proper secrets management using vault. The target environment will rely on nomad being able to interpolate secrets and place them in the environment or config files of the application, and trigger on changes by restarting the job if necessary.
This means that Nomad needs to be pre-integrated with vault, and have a token associated with a policy with sufficient privileges. A good starting point is https://learn.hashicorp.com/tutorials/nomad/vault-postgres - full docs are at https://www.nomadproject.io/docs/integrations/vault-integration
Summarized, the following should be sufficient:
The text was updated successfully, but these errors were encountered: