dadgar
commented
6 years ago Hey Isaac,
This should be possible with any recent version of Nomad: https://www.nomadproject.io/docs/job-specification/template.html#node-variables
Closed issacg closed 6 years ago
dadgar
commented
6 years ago Hey Isaac,
This should be possible with any recent version of Nomad: https://www.nomadproject.io/docs/job-specification/template.html#node-variables
issacg
commented
6 years ago Well, either I'm brain dead, or it's a bug :(
0.7.0
Linux 4.9.59-v7+ #1047 SMP Sun Oct 29 12:19:23 GMT 2017 armv7l GNU/Linux
Nested interpolation not working
Connect Nomad to Vault with a PKI backend with a role "role"
{
"allow_any_name": true,
"allow_bare_domains": false,
"allow_base_domain": false,
"allow_ip_sans": true,
"allow_localhost": true,
"allow_subdomains": false,
"allow_token_displayname": false,
"allowed_domains": "",
"client_flag": true,
"code_signing_flag": false,
"email_protection_flag": false,
"enforce_hostnames": true,
"key_bits": 2048,
"key_type": "rsa",
"key_usage": "DigitalSignature,KeyAgreement,KeyEncipherment",
"max_ttl": "8760h0m0s",
"ou": "",
"server_flag": true,
"ttl": "768h0m0s",
"use_csr_common_name": true
}Create a nomad job with the following template
template {
data = "{{ with secret \"pki/issue/role\" \"common_name=some.service.dc1.consul\" \"alt_names=some.service.consul\" \"ip_sans=${attr.unique.network.ip-address}\" \"ttl=168h\" }}{{ .Data.certificate }}\n{{ .Data.ca_chain }}{{ end }}"
destination = "secrets/client.crt"
change_mode = "restart"
}
template {
data = "{{ with secret \"pki/issue/role\" \"common_name=some.service.dc1.consul\" \"alt_names=some.service.consul\" \"ip_sans=${attr.unique.network.ip-address}\" \"ttl=168h\" }}{{ .Data.private_key }}{{ end }}"
destination = "secrets/client.key"
}Without the \"ip_sans=${attr.unique.network.ip-address}\", the above snippet works as expected
Nov 14 14:36:53 pi2 nomad[23000]: 2017/11/14 14:36:53 [WARN] (view) vault.write(pki/issue/role-> 6bxxxx96): vault.write(pki/issue/role-> 6bxxxx96): Error making API request.
Nov 14 14:36:53 pi2 nomad[23000]: URL: PUT https://192.168.3.1:8200/v1/pki/issue/role
Nov 14 14:36:53 pi2 nomad[23000]: Code: 400. Errors:
Nov 14 14:36:53 pi2 nomad[23000]: * the value '${attr.unique.network.ip-address}' is not a valid IP address (retry attempt 7 after "16s")
Nov 14 14:36:53 pi2 nomad[23000]: (view) vault.write(pki/issue/role-> 6bxxxx96): vault.write(pki/issue/role-> 6bxxxx96): Error making API request.#012#012URL: PUT https://192.168.3.1:8200/v1/pki/issue/role #012Code: 400. Errors:#012#012* the value '${attr.unique.network.ip-address}' is not a valid IP address (retry attempt 7 after "16s")Hmm, I was kinda hoping that commenting would re-open. I'll open another issue for the report
github-actions[bot]
commented
1 year ago I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Not sure how simple this would be, but if it's relatively low-hanging, then it would be nifty to allow nested interpolation of variables.
For example, if I want to ask Vault to issue a certificate for a job running which includes an IP alternative name (SAN), I'd want to query that from ${attr.unique.network.ip-address} and doing something like this: