Nomad /Secrets For Docker

[mqasim1983]

Hi,

I need add public and private key inside containers. I looked into /secrets . Is there any possibility to use it in Docker.
tmpfs 1.0M 0 1.0M 0% /secrets

Is there any possibility to pass text file in Nomad to mount /secrets/PublicKey.txt ? without Vault
Just like Docker secrets

[jippi]

you could use template{} + vault to read the keys and write them to /secrets ?

[mqasim1983]

Thanks for the reply.
I need to add config in Nomad for the vault one of the main reason.

[mqasim1983]

@jippi

    vault {
    policies = ["default"]

    change_mode   = "signal"
    change_signal = "SIGUSR1"
  }

   template {
    data = <<EOF
    {{ with secret “secret/hello" }}
    {{ .Data.value }}{{ end }}
    EOF
    destination   = "secrets/hello-world.tx"
    change_mode   = "signal"
    change_signal = "SIGINT"
  }



  ERROR : consul-template: (dynamic): parse: template: :1: unrecognized character in action: U+201C '“'

--

[mlehner616]

The quotes here destination = “secrets don't look right. Are you sure those are in fact "?

[mlehner616]

Sorry I meant here {{ with secret “secret ...

[dadgar]

@mqasim1983 The /secrets dir is mounted into the container and is backed by a tmpfs so it is a good place to store your secrets. If you are trying to inject the value without using vault you essentially have two options.

1. Hard code the value in the template:

task "foo" {
  template {
    data = <<EOF
<LITERAL DATA>
    EOF
    destination   = "secrets/hello-world.txt"
  }
...
}

2. Store the secret data in Consul:

task "foo" {
  template {
    data = <<EOF
{{ key "my-secret-key" }}
    EOF
    destination   = "secrets/hello-world.txt"
  }
...
}

[shantanugadgil]

@dadgar I plan to use S3 as source for and artifact and the destination file will be inside secrets.
The access to S3 is locked down using IAM roles within AWS, so it should be considered safe, right?

The problem with an inline template would be that it would reveal the entire contents of the file when this .nomad file would get committed to sources.

Regards,
Shantanu

[dadgar]

@shantanugadgil Yes, choice #1 is definitely not recommended but given the original constraints those would be the two choices.

The way you are doing it is great!

[mqasim1983]

@dadgar @shantanugadgil @mlehner616
Thanks it really helped me.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.