Using vault for docker credentials

[Jeff Hanson]

I am trying to use vault as the store for our docker repository credentials. I have a docker-credential helper which can use vault to retrieve the credentials and then provide them back to nomad. The problem I face is getting a valid vault token into the credential helper from nomad. I have this working locally by running nomad in -dev mode and then putting a valid vault token in the environment where nomad is started. The environment variable is propagated to the exec'd docker-credential-vault helper and it allows the helper to retrieve the credentials from vault. However I can't figure out how I can get the nomad client to provide the vault token to the docker credential helper. The docker credential helper accepts a vault token either through a command line option, a config file, or environment variables. Looking for ideas on how I might accomplish getting a valid vault token into the helper that is exec'd by nomad client.

[Michael Schurter]

Nomad currently does not template vault tokens/credentials into client settings such as the Docker credential helper like it can template jobspecs.

This seems like a reasonable use case that Nomad could special case. Would you mind opening an issue to make it easier to discuss/triage/track? https://github.com/hashicorp/nomad/issues/new

Thanks!

On Mon, Aug 13, 2018 at 10:26 AM Jeff Hanson <jeffrey....@gmail.com> wrote:

I am trying to use vault as the store for our docker repository credentials. I have a docker-credential helper which can use vault to retrieve the credentials and then provide them back to nomad. The problem I face is getting a valid vault token into the credential helper from nomad. I have this working locally by running nomad in -dev mode and then putting a valid vault token in the environment where nomad is started. The environment variable is propagated to the exec'd docker-credential-vault helper and it allows the helper to retrieve the credentials from vault. However I can't figure out how I can get the nomad client to provide the vault token to the docker credential helper. The docker credential helper accepts a vault token either through a command line option, a config file, or environment variables. Looking for ideas on how I might accomplish getting a valid vault token into the helper that is exec'd by nomad client.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/nomad/issues
IRC: #nomad-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Nomad" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nomad-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomad-tool/516199f6-4eb3-413c-9534-b9b4a8d62369%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jeff Hanson]

Ok, submitted an new issue on this and included a reference to this topic.

thanks,

Jeff