search

hashicorp / nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
https://www.nomadproject.io/
Other
14.86k stars 1.95k forks source link

Docker registry auth from Vault or Variables #9740

Open the-maldridge opened 3 years ago

the-maldridge commented 3 years ago

Right now the options for auth in the docker driver are pretty much hard-coded credentials or credential helpers. For repos that just take basic auth this is a bit overkill. It would be nice to be able to specify a vault key to retrieve credentials from. It could be a hard-coded schema within the key, so you just specify something like:

auth {
  vault = "secret/docker/ghcr"
}

In theory this shouldn't affect the scheduler since vault can be assumed to be a cluster service if its configured at all.

tgross commented 3 years ago

Hi @the-maldridge! I'm 👍 on this feature for sure. We have a similar issue open already https://github.com/hashicorp/nomad/issues/4576 but I think this is a distinct enough request that we should keep it open and cross-link it for discussion. Thanks for opening this!

krishicks commented 3 years ago

:wave: I wrote up an RFC for implementing something like this, but after getting feedback on it I'm going to suggest an alternative for the moment, as existing functionality can be used to achieve this, as demonstrated by @angrycub:

job "auth" {
  type        = "service"
  datacenters = ["dc1"]

  group "docker" {
    task "redis" {
      driver = "docker"

      config {
        image = "registry.service.consul:5000/redis:latest"
        auth {
          username = "${DOCKER_USER}"
          password = "${DOCKER_PASS}"
        }
      }

      template {
        destination = "secrets/secret.env"
        env         = true
        change_mode = "restart"
        data        = <<EOH
DOCKER_USER={{ key "kv/docker/config/user" }}
DOCKER_PASS={{ key "kv/docker/config/pass" }}
EOH
      }

      resources {
        cpu    = 200
        memory = 100
      }
    }
  }
}

This uses the template stanza to render the Docker credentials from Vault as environment variables, which are then interpolated into the Docker driver config.

This solution assumes that you're OK with having the Docker credentials made available to the task (as they would exist as environment variables the task can read).

Let me know if this solves the issue, or if you have different requirements that make it not suitable.

the-maldridge commented 3 years ago

While this does allow you to pass the docker credentials via the environment, it exposes the credentials to the task as you mentioned. Since this fails to meet the criteria of least privilege, this fails to serve as an equivalent solution.

tgross commented 3 months ago

I've re-titled this issue to cover Variables as well, and I'm going to close some of the duplicate requests for this feature and point them here, as well as make sure this gets into Jira for roadmapping discussions.

See also https://github.com/hashicorp/nomad/issues/18135 for some possible thinking around implementation.