search

hashicorp / nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
https://www.nomadproject.io/
Other
14.56k stars 1.92k forks source link

Auto fetch agent consul token #23473

Open jorgemarey opened 5 days ago

jorgemarey commented 5 days ago

Proposal

With the addition of workload identities nomad would fetch automatically consul tokens for services and tasks, but we still need to provide a consul token for nomad to be able to perform other operations in consul.

Maybe nomad servers could also issue a jwt for clients that this use for login and retrieval of the consul token used by the agent.

A configuration option could be provided as agent_auth_method, similar to the ones present currently for tasks and services

The issued jwt could have the node_class, node_pool and name.

This would avoid needing to set a consul token on configuration.

I don't know if this is possible by how nomad currently starts and connects with the servers. But if it's possible I think it would be an improvement.

pkazmierczak commented 4 days ago

Hi @jorgemarey, thanks for a suggestion. Indeed we do have future plans of improving Consul integration based on WI tokens, but it's not currently on our next release roadmap and it's hard for us to commit to a timeline here. It's definitely something we will be revisiting in the future though.