Vault Constraint 0.6.1

[james....@made.com]

Hi,

I am just starting to get my Nomad cluster talking to Vault

I'm using 0.5.4 Nomad -> 0.6.4 Vault

{

  "initialized": true,

  "sealed": false,

  "standby": true,

  "server_time_utc": 1486133185,

  "version": "0.6.4",

  "cluster_name": "vault-cluster-c0ab8c59",

  "cluster_id": "3361aad6-d903-9647-5ed4-7f64cdb52df0"

}

I have created all the necessary roles, policies for vault and am testing pulling a secret

An implicit constraint seems to fail. 

[nomad@mag-test-Nomad-10-160-230-214 ~]$ nomad plan test.nomad

+ Job: "docs"

+ Task Group: "example" (1 create)

  + Task: "cat" (forces create)

Scheduler dry-run:

- WARNING: Failed to place all allocations.

  Task Group "example" (failed to place 1 allocation):

    * Constraint "${attr.vault.version} version >= 0.6.1" filtered 3 nodes

Job Modify Index: 0

To submit the job with version verification run:

The constraint check was added with the following commit.

https://github.com/hashicorp/nomad/commit/a907994fcc2da69b0e49fed2d643943088335487

        // vaultConstraint is the implicit constraint added to jobs requesting a

// Vault token

vaultConstraint = &structs.Constraint{

LTarget: "${attr.vault.version}",

RTarget: ">= 0.6.1",

Operand: structs.ConstraintVersion,

}

Any help much appreciated.

James

[Alex Dadgar]

Hey James,

We automatically add a constraint to any task group that is asking for a Vault token that the client can talk to Vault. In your Nomad client configs please enable and point the clients at Vault’s address: https://www.nomadproject.io/docs/agent/configuration/vault.html.

This is required because the Nomad client uses Vault to unwrap the token and renew them, so it needs to know how to talk to Vault. An example is given on the bottom of the page.

Thanks,
Alex Dadgar

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/nomad/issues
IRC: #nomad-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Nomad" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nomad-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomad-tool/0e8d9fea-900e-4853-a474-1089da627769%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[James Morgan]

Hi Alex,

Yes that makes sense. I thought somehow the vault handling would be managed by the servers which do have the configuration. 

I'll get the clients configured up properly. 

Thanks 

--

James Morgan

Technical Architect

MADE.COM

Made.com Design Limited is a company registered in England and Wales.

Registered number: 07101408 | Registered office: 100 Charing Cross Road, London WC2H 0JG

Careers at Made.com: Be a part of the team

Twitter: Follow our tweets

Affiliates Programme: Become a part of Made.com

Our Blog: Get to know us

[james....@made.com]

Hi Alex,

That worked. Thanks for your help. 

Now successfully pulling secrets into my Nomad jobs.

James