How To Set Docker Env From Vault

[mqasim1983]

Hi,

How to set docker env from vault as mentioned #597

env {
LOG_LEVEL="debug"
REGISTRY_STORAGE="s3"
REGISTRY_STORAGE_S3_ACCESSKEY="${vault("/aws/keys/access")}"
REGISTRY_STORAGE_S3_SECRETKEY="${vault("/aws/keys/secret")}"
REGISTRY_STORAGE_S3_REGION="us-east-1"
REGISTRY_STORAGE_S3_BUCKET="mybucket"
REGISTRY_STORAGE_S3_ROOTDIRECTORY="/foo/bar/docker-registry"
} 

Thanks

[pieterbreed]

Hi mqasum1983, I don't think it's currently possible. It looks like you are trying to run a docker registry? Rather create the config yaml file directly using the template block. The documentation says it's possible to read vault secrets into that template, have a look here for how to do that: https://github.com/hashicorp/consul-template.

[mqasim1983]

Hi,

I have some variable for DB's that application uses so that I need from Vault as the variable.

Thanks

[pieterbreed]

Yes, i hear you and understand. I am saying right now you can't do it the way you are asking about. You need to use another mechanism to lift the db secrets into your application environment. Eg, a shell script populated using a consul-template block, and then source ...'d or something similar.

[mqasim1983]

Thanks @pieterbreed
I upgraded my local nomad cluster to 0.6.0 (Unreleased), The change log
Support reading env vars from templates [GH-2654]

May be it will work, just looking to find a way of doing that in nomad

[mqasim1983]

Manage to do it

template {
data = <<EOH
ABC_KEY={{ key "Develop/MYSQL_USER" }}
EOH
destination = "local/file.env"
env         = true
}

[pieterbreed]

This is fantastic. Thank you for sharing.

[dadgar]

@mqasim1983 Awesome job figuring out before we even released 👍

Closing as Nomad 0.6 bring support for this!

[mlehner616]

Thank you @mqasim1983. I encountered this a couple weeks ago and ended up using consul template. This sounds better. @adadgar is this new functionality going to be documented with an example?

…

On Wed, Jul 26, 2017 at 4:13 PM Alex Dadgar ***@***.***> wrote: Closed #2902 <#2902>. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2902 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAqFRGsY0A2mYknlodTs8LSEtfTDtK5fks5sR8gXgaJpZM4OjFjl> .

[mqasim1983]

Hi,

I still need to do it from Vault not from Consul.
I am using Nomad 6 rc2.

Please let me know how can I do it from Vault

Thanks

[mqasim1983]

Thanks everyone

Docs : https://www.nomadproject.io/docs/job-specification/template.html
For me it just says missing client token

[pieterbreed]

I might be off-target here, but that sounds like you haven't set up vault/nomad integration yet. After you've done that, in the nomad job file, you need a vault stanza that derives a VAULT_TOKEN environment variable.

[mqasim1983]

Hi @pieterbreed

I have the following config for my testing env

nomad.hcl

server {
enabled          = true
bootstrap_expect = 3
encrypt = "xxxxxxxxxxxxxxx"
}
consul {
address = "x.x.x.:8500"
}
advertise {
http = "x.x.x.x"
rpc  = "x.x.x.x"
serf = "x.x.x.x"
 }
 bind_addr = "0.0.0.0"
 data_dir = "/var/nomad"
 datacenter = "Xxxx"
region = "XXX"

client {
 enabled = true
 options = {
"driver.raw_exec.enable" = "1"
  }
}

vault {
 enabled = true
address = "http://vault.service.consul:8200"
 token = "6f80de34-24df-27b4-d14f-388d5f00d1af" # ROOT TOKEN
create_from_role = "nomad-cluster"
}

Nomad Test Job

  job "test" {
  region = "XXX"
  datacenters = ["Xxx"]
 type = "service"
 update {
 stagger = "10s"
 max_parallel = 1
 }
  group "logging" {
 constraint {
 operator  = "distinct_hosts"
 value     = "true"
 }
 count = 1
  restart {
  attempts = 1
  interval = "2m"
  delay = "25s"
  mode = "delay"
   }
   ephemeral_disk {
    size = 300
  }
 task "test" {

vault {
    policies = ["default"]
    change_mode   = "signal"
    change_signal = "SIGUSR1"
  }
template {
data = <<EOH
 ABC_KEY={{ key "Develop/MYSQL_USER" }}
API_KEY="{{with secret "secret/Develop/MYSQL_USER"}}{{.Data.key}}{{end}}" 
EOH

  destination = "local/file.env"
  env         = true
 }

  driver = "docker"
  config {
    image = "registry.XXXX.local:5000/XX/XX:latest"
    port_map {
      test  = 24224
    }

  }

env {
    "BUFFER_CHUNK_LIMIT" = "256m"
    "NUM_THREADS" = "2"
    "ELASTICSEARCH_HOST" = "Xxxxx"
    "ELASTICSEARCH_PORT" = "9200"
     }

    resources {
    cpu    = 250
    memory = 500
    network {
      mbits = 10
      port "test" {
     }
    }
  }
  service {
    name = "test"
    tags = ["logging"]
    port = "test"
      check {
      name     = "alive"
      type     = "tcp"
      port     = "test"
      interval = "10s"
      timeout  = "2s"
    }
    }
    }
    }
   }`

All nomad servers are nomad client as well, please let me what I am missing.

Thanks

[dadgar]

@mlehner616 Yep! There is an example on the template documentation: https://www.nomadproject.io/docs/job-specification/template.html#environment-variables

And also in the guide page: https://www.nomadproject.io/docs/operating-a-job/configuring-tasks.html#environment-variables

Let us know if you think they can be improved! PRs welcome 😄

[dadgar]

@mqasim1983 Does the default policy have the ability to read the secret?

You can test by creating a default token from your root token and trying to read:

$ VAULT_TOKEN=<root> vault token-create -policy=default
Key             Value
---             -----
token           345c8992-eb33-9b5a-7d81-2347c2caa72c
token_accessor  3f69ec8e-0e8b-aa4e-55f1-f1e7671e9861
token_duration  768h0m0s
token_renewable true
token_policies  [default]

$ VAULT_TOKEN=345c8992-eb33-9b5a-7d81-2347c2caa72c vault read secret/test
Error reading secret/test: Error making API request.

URL: GET http://127.0.0.1:8200/v1/secret/test
Code: 403. Errors:

* permission denied

[mqasim1983]

Hi, @dadgar

Yes it is

vault token-create -policy=default
Key            	Value
---            	-----
token          	5e779b4f-6ef9-f919-4464-ee0f351bcf0e
token_accessor 	dc6e1a79-0b68-4307-f16b-5291b0d9b4f2
token_duration 	768h0m0s
token_renewable	true
token_policies 	[default]

one@Docker-01:~$ VAULT_TOKEN=5e779b4f-6ef9-f919-4464-ee0f351bcf0e vault list secret
Error reading secret/: Error making API request.

URL: GET http://127.0.0.1:8200/v1/secret?list=true
Code: 403. Errors:

* permission denied

Thanks

[mqasim1983]

Thanks everyone it working

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.