Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault and Nomad Integration with a Consul backend #2516

Closed
tarpanpathak opened this issue Apr 3, 2017 · 4 comments
Closed

Vault and Nomad Integration with a Consul backend #2516

tarpanpathak opened this issue Apr 3, 2017 · 4 comments
Labels
type/question

Comments

@tarpanpathak
Copy link

Hi,
I have read through the Vault Integration doc (https://www.nomadproject.io/docs/vault-integration/) but am still unclear on the required setup to integrate Vault with Nomad and a Consul backend.

FYI, we already have the following set up:

- Consul (3-node cluster) 
- Nomad (3 x master and 3 x worker node clusters) 
- Vault (server) running on two out of the three Consul nodes  
- Vault root token

I am struggling to find where to go next. The end goal is to submit Nomad jobs that accepts Vault policies either at the Job, Group, or Task level which then reads/writes from/to Consul. Could you point me to some documentation on how to move forward with this setup?
@dadgar
Copy link
Contributor

dadgar commented Apr 3, 2017

Hey @ptarpan,

Can you expand on where you are getting stuck. As outlined on that page you have two options.

  1. Give Nomad a root token from Vault.

There is really nothing more to do in this case.

  1. Generate a Token Role in Vault and create a token that can create child tokens from that role and give that to Nomad.

You can see the steps here: https://www.nomadproject.io/docs/vault-integration/#token-role-based-integration

@tarpanpathak
Copy link
Author

Hey @dadgar,

thanks for the quick response. Yup, got it. Nomad currently has been provided a root token. To use Vault, I must first "auth" against it correct? If so, I am running the vault auth <token> command. Let me continue testing. In your opinion, option #2 is more reliable yes?

@dadgar
Copy link
Contributor

dadgar commented Apr 3, 2017

So for a root token you more or less do this:

$ nomad agent -dev -vault-enabled -vault-token=<token> -vault-address=<addr> and then ask for a policy in the job file.

Options #2 is what you should be using in production as it gives you granular control of what can be used to by Nomad jobs and doesn't expose a root token!

I am going to close this issue but feel free to ask questions here, the mailing list or on Gitter.

@dadgar dadgar closed this as completed Apr 3, 2017
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dadgar @tarpanpathak