Nomad Template: Any way to pass Consul ACL Token ?
1,387 views
Skip to first unread message
Cyril Gaudin
Jan 17, 2017, 4:27:35 AM1/17/17
to Nomad
Hi,
We've started to use template in nomad to get our configuration from Consul but our Consul cluster is protected with ACL.
Is there a way to pass the Consul token in job configuration? (If no, I will create a github issue)
I tried to fill the environment variable CONSUL_HTTP_TOKEN in "env" section but it doesn't seems to be pass to consul-template by nomad agent.
So Nomad believes that Consul key is not present and the job remains in pending state.
Thanks for your help!
Cyril.
Test job:
job "template-test" {
datacenters = ["dc1"]
type = "batch"
group "template-test" {
task "template-test" {
driver = "exec"
config {
command = "sh"
args = ["-c", "sleep 5; cat local/test.conf; exit 0"]
}
template {
destination = "local/test.conf"
data = "{{ key \"configtest\" }}"
}
# Try to pass Consul token as an environment variable.
env {
CONSUL_HTTP_TOKEN = "test-token"
}
}
}
}
Server log below:
2017/01/17 10:17:56.110735 [DEBUG] client: starting task runners for alloc '47847e8c-f805-ca4b-e981-3ae38777e036'
2017/01/17 10:17:56.110867 [DEBUG] client: starting task context for 'template-test' (alloc '47847e8c-f805-ca4b-e981-3ae38777e036')
2017/01/17 10:17:56 [INFO] (runner) creating new runner (dry: false, once: false)
2017/01/17 10:17:56 [DEBUG] (runner) final config (tokens suppressed):
{
"Path": "",
"Consul": "",
"Token": "",
"ReloadSignal": 1,
"DumpSignal": 3,
"KillSignal": 2,
"Auth": {
"Enabled": false,
"Username": "",
"Password": ""
},
"Vault": {
"Address": "",
"UnwrapToken": false,
"RenewToken": false,
"SSL": {
"Enabled": true,
"Verify": true,
"Cert": "",
"Key": "",
"CaCert": "",
"CaPath": "",
"ServerName": ""
}
},
"SSL": {
"Enabled": false,
"Verify": true,
"Cert": "",
"Key": "",
"CaCert": "",
"CaPath": "",
"ServerName": ""
},
"Syslog": {
"Enabled": false,
"Facility": "LOCAL0"
},
"Exec": {
"Command": "",
"Splay": 0,
"ReloadSignal": null,
"KillSignal": 15,
"KillTimeout": 30000000000
},
"MaxStale": 1000000000,
"ConfigTemplates": [
{
"Source": "",
"Destination": "/tmp/nomad/alloc/47847e8c-f805-ca4b-e981-3ae38777e036/template-test/local/test.conf",
"EmbeddedTemplate": "{{ key \"configtest\" }}",
"Command": "",
"CommandTimeout": 0,
"Perms": 420,
"Backup": false,
"LeftDelim": "",
"RightDelim": "",
"Wait": {
"min": 0,
"max": 0
}
}
],
"Retry": 5000000000,
"Wait": {
"min": 0,
"max": 0
},
"PidFile": "",
"LogLevel": "WARN",
"Deduplicate": {
"Enabled": false,
"Prefix": "consul-template/dedup/",
"TTL": 15000000000
}
}
2017/01/17 10:17:56 [INFO] (clients) creating consul/api client
2017/01/17 10:17:56 [INFO] (clients) creating vault/api client
2017/01/17 10:17:56 [DEBUG] (clients) enabling vault SSL
2017/01/17 10:17:56 [INFO] (runner) creating Watcher
2017/01/17 10:17:56 [INFO] (runner) starting
2017/01/17 10:17:56 [DEBUG] (runner) running initial templates
2017/01/17 10:17:56 [INFO] (runner) running
2017/01/17 10:17:56 [DEBUG] (runner) checking template a7c72e8af6bd3ec74e72f63455032e62
2017/01/17 10:17:56 [INFO] (runner) was not watching 2 dependencies
2017/01/17 10:17:56 [INFO] (watcher) adding "key(configtest)"
2017/01/17 10:17:56 [DEBUG] (watcher) "key(configtest)" starting
2017/01/17 10:17:56 [INFO] (watcher) adding "key(configtest)"
2017/01/17 10:17:56 [DEBUG] (watcher) "key(configtest)" already exists, skipping
2017/01/17 10:17:56 [INFO] (runner) diffing and updating dependencies
2017/01/17 10:17:56 [INFO] (runner) watching 1 dependencies
2017/01/17 10:17:56 [DEBUG] (view) "key(configtest)" starting fetch
2017/01/17 10:17:56 [DEBUG] ("key(configtest)") querying consul with &{Datacenter: AllowStale:true RequireConsistent:false WaitIndex:0 WaitTime:1m0s Token: Near:}
2017/01/17 10:17:56 [DEBUG](view) "key(configtest)" data was not present
2017/01/17 10:17:56 [DEBUG] ("key(configtest)") querying consul with &{Datacenter: AllowStale:true RequireConsistent:false WaitIndex:9679 WaitTime:1m0s Token: Near:}
We've started to use template in nomad to get our configuration from Consul but our Consul cluster is protected with ACL.
Is there a way to pass the Consul token in job configuration? (If no, I will create a github issue)
I tried to fill the environment variable CONSUL_HTTP_TOKEN in "env" section but it doesn't seems to be pass to consul-template by nomad agent.
So Nomad believes that Consul key is not present and the job remains in pending state.
Thanks for your help!
Cyril.
Test job:
job "template-test" {
datacenters = ["dc1"]
type = "batch"
group "template-test" {
task "template-test" {
driver = "exec"
config {
command = "sh"
args = ["-c", "sleep 5; cat local/test.conf; exit 0"]
}
template {
destination = "local/test.conf"
data = "{{ key \"configtest\" }}"
}
# Try to pass Consul token as an environment variable.
env {
CONSUL_HTTP_TOKEN = "test-token"
}
}
}
}
Server log below:
2017/01/17 10:17:56.110735 [DEBUG] client: starting task runners for alloc '47847e8c-f805-ca4b-e981-3ae38777e036'
2017/01/17 10:17:56.110867 [DEBUG] client: starting task context for 'template-test' (alloc '47847e8c-f805-ca4b-e981-3ae38777e036')
2017/01/17 10:17:56 [INFO] (runner) creating new runner (dry: false, once: false)
2017/01/17 10:17:56 [DEBUG] (runner) final config (tokens suppressed):
{
"Path": "",
"Consul": "",
"Token": "",
"ReloadSignal": 1,
"DumpSignal": 3,
"KillSignal": 2,
"Auth": {
"Enabled": false,
"Username": "",
"Password": ""
},
"Vault": {
"Address": "",
"UnwrapToken": false,
"RenewToken": false,
"SSL": {
"Enabled": true,
"Verify": true,
"Cert": "",
"Key": "",
"CaCert": "",
"CaPath": "",
"ServerName": ""
}
},
"SSL": {
"Enabled": false,
"Verify": true,
"Cert": "",
"Key": "",
"CaCert": "",
"CaPath": "",
"ServerName": ""
},
"Syslog": {
"Enabled": false,
"Facility": "LOCAL0"
},
"Exec": {
"Command": "",
"Splay": 0,
"ReloadSignal": null,
"KillSignal": 15,
"KillTimeout": 30000000000
},
"MaxStale": 1000000000,
"ConfigTemplates": [
{
"Source": "",
"Destination": "/tmp/nomad/alloc/47847e8c-f805-ca4b-e981-3ae38777e036/template-test/local/test.conf",
"EmbeddedTemplate": "{{ key \"configtest\" }}",
"Command": "",
"CommandTimeout": 0,
"Perms": 420,
"Backup": false,
"LeftDelim": "",
"RightDelim": "",
"Wait": {
"min": 0,
"max": 0
}
}
],
"Retry": 5000000000,
"Wait": {
"min": 0,
"max": 0
},
"PidFile": "",
"LogLevel": "WARN",
"Deduplicate": {
"Enabled": false,
"Prefix": "consul-template/dedup/",
"TTL": 15000000000
}
}
2017/01/17 10:17:56 [INFO] (clients) creating consul/api client
2017/01/17 10:17:56 [INFO] (clients) creating vault/api client
2017/01/17 10:17:56 [DEBUG] (clients) enabling vault SSL
2017/01/17 10:17:56 [INFO] (runner) creating Watcher
2017/01/17 10:17:56 [INFO] (runner) starting
2017/01/17 10:17:56 [DEBUG] (runner) running initial templates
2017/01/17 10:17:56 [INFO] (runner) running
2017/01/17 10:17:56 [DEBUG] (runner) checking template a7c72e8af6bd3ec74e72f63455032e62
2017/01/17 10:17:56 [INFO] (runner) was not watching 2 dependencies
2017/01/17 10:17:56 [INFO] (watcher) adding "key(configtest)"
2017/01/17 10:17:56 [DEBUG] (watcher) "key(configtest)" starting
2017/01/17 10:17:56 [INFO] (watcher) adding "key(configtest)"
2017/01/17 10:17:56 [DEBUG] (watcher) "key(configtest)" already exists, skipping
2017/01/17 10:17:56 [INFO] (runner) diffing and updating dependencies
2017/01/17 10:17:56 [INFO] (runner) watching 1 dependencies
2017/01/17 10:17:56 [DEBUG] (view) "key(configtest)" starting fetch
2017/01/17 10:17:56 [DEBUG] ("key(configtest)") querying consul with &{Datacenter: AllowStale:true RequireConsistent:false WaitIndex:0 WaitTime:1m0s Token: Near:}
2017/01/17 10:17:56 [DEBUG](view) "key(configtest)" data was not present
2017/01/17 10:17:56 [DEBUG] ("key(configtest)") querying consul with &{Datacenter: AllowStale:true RequireConsistent:false WaitIndex:9679 WaitTime:1m0s Token: Near:}
Alex Dadgar
Jan 17, 2017, 7:02:05 PM1/17/17
to Nomad, Cyril Gaudin
Hey Cyril,
Unfortunately we do not currently support Consul ACL tokens in the config. It is on our roadmap and you are welcome to create an issue. Long term we would like to make it so that the Vault integration can be used to derive a Consul ACL token on demand for the task and plumb that through to both registering the services and for use with the template block!
Thanks,
Alex Dadgar
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/nomad/issues
IRC: #nomad-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Nomad" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nomad-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomad-tool/67464ae2-09ca-4dc2-bbef-1a4c8a38b1e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
David BURET
Oct 11, 2018, 10:48:06 AM10/11/18
to Nomad
Hello,
I'm not able to find a news on this subject: Is it still on the roadmap, already implemented, .. ?
Thanks.
David.
Sampath M
Oct 12, 2018, 11:38:15 PM10/12/18
to Nomad
Hi Dadgar,
nomad job
template {
source = "/nomad/app.conf.tpl"
destination = "/config/config.json"
change_mode = "signal"
change_signal = "SIGINT"
I still see this as a open item, are there any timelines for this feature?
nomad client log -
[WARN] (view) kv.block(config/env/appname/v1): Unexpected response code: 403 (retry attempt 12 after "1m0s")
[WARN] (view) kv.block(config/env/appname/v1): Unexpected response code: 403 (retry attempt 12 after "1m0s")
nomad job
template {
source = "/nomad/app.conf.tpl"
destination = "/config/config.json"
change_mode = "signal"
change_signal = "SIGINT"
Reply all
Reply to author
Forward
0 new messages