open-nomad/website/pages/docs/job-specification/vault.mdx

132 lines
4.1 KiB
Plaintext
Raw Normal View History

2016-10-31 04:05:08 +00:00
---
2020-02-06 23:45:31 +00:00
layout: docs
page_title: vault Stanza - Job Specification
sidebar_title: vault
2016-10-31 04:05:08 +00:00
description: |-
2020-02-06 23:45:31 +00:00
The "vault" stanza allows the task to specify that it requires a token from a
HashiCorp Vault server. Nomad will automatically retrieve a Vault token for
the task and handle token renewal for the task.
2016-10-31 04:05:08 +00:00
---
# `vault` Stanza
2020-02-06 23:45:31 +00:00
<Placement
groups={[
['job', 'vault'],
['job', 'group', 'vault'],
2020-09-30 13:48:40 +00:00
['job', 'group', 'task', 'vault'],
2020-02-06 23:45:31 +00:00
]}
/>
2016-10-31 04:05:08 +00:00
2016-11-02 22:14:49 +00:00
The `vault` stanza allows a task to specify that it requires a token from a
[HashiCorp Vault][vault] server. Nomad will automatically retrieve a Vault token
for the task and handle token renewal for the task. If specified at the `group`
level, the configuration will apply to all tasks within the group. If specified
at the `job` level, the configuration will apply to all tasks within the job. If
multiple `vault` stanzas are specified, they are merged with the `task` stanza
taking the highest precedence, then the `group`, then the `job`.
2016-10-31 04:05:08 +00:00
```hcl
job "docs" {
group "example" {
task "server" {
vault {
policies = ["cdn", "frontend"]
change_mode = "signal"
change_signal = "SIGUSR1"
}
}
}
}
```
2016-11-01 19:23:10 +00:00
The Nomad client will make the Vault token available to the task by writing it
to the secret directory at `secrets/vault_token` and by injecting a `VAULT_TOKEN`
2020-02-06 23:45:31 +00:00
environment variable. If the Nomad cluster is [configured](/docs/configuration/vault#namespace)
to use [Vault Namespaces](https://www.vaultproject.io/docs/enterprise/namespaces),
2020-04-07 11:54:25 +00:00
a `VAULT_NAMESPACE` environment variable will be injected whenever `VAULT_TOKEN` is set.
2016-11-01 17:36:59 +00:00
2016-11-01 19:23:10 +00:00
If Nomad is unable to renew the Vault token (perhaps due to a Vault outage or
2018-03-25 23:23:05 +00:00
network error), the client will attempt to retrieve a new Vault token. If successful, the
2016-11-01 19:23:10 +00:00
contents of the secrets file are updated on disk, and action will be taken
according to the value set in the `change_mode` parameter.
2016-11-01 17:36:59 +00:00
2016-11-01 19:23:10 +00:00
If a `vault` stanza is specified, the [`template`][template] stanza can interact
with Vault as well.
2016-10-31 04:05:08 +00:00
## `vault` Parameters
2016-10-31 20:52:28 +00:00
- `change_mode` `(string: "restart")` - Specifies the behavior Nomad should take
if the Vault token changes. The possible values are:
2016-10-31 04:05:08 +00:00
- `"noop"` - take no action (continue running the task)
- `"restart"` - restart the task
2016-10-31 04:05:08 +00:00
- `"signal"` - send a configurable signal to the task
- `change_signal` `(string: "")` - Specifies the signal to send to the task as a
string like `"SIGUSR1"` or `"SIGINT"`. This option is required if the
`change_mode` is `signal`.
- `env` `(bool: true)` - Specifies if the `VAULT_TOKEN` and `VAULT_NAMESPACE`
environment variables should be set when starting the task.
2016-10-31 04:05:08 +00:00
- `namespace` `(string: "")` <EnterpriseAlert inline/> - Specifies the Vault Namespace
to use for the task. The Nomad client will retrieve a Vault token that is scoped to
this particular namespace.
2016-10-31 04:05:08 +00:00
- `policies` `(array<string>: [])` - Specifies the set of Vault policies that
the task requires. The Nomad client will retrieve a Vault token that is
2016-10-31 04:05:08 +00:00
limited to those policies.
## `vault` Examples
The following examples only show the `vault` stanzas. Remember that the
`vault` stanza is only valid in the placements listed above.
### Retrieve Token
This example tells the Nomad client to retrieve a Vault token. The token is
2016-11-01 17:36:59 +00:00
available to the task via the canonical environment variable `VAULT_TOKEN` and
written to disk at `secrets/vault_token`. The resulting token will have the
"frontend" Vault policy attached.
2016-10-31 04:05:08 +00:00
```hcl
vault {
policies = ["frontend"]
}
```
### Signal Task
This example shows signaling the task instead of restarting it.
```hcl
vault {
policies = ["frontend"]
change_mode = "signal"
change_signal = "SIGINT"
}
```
### Vault Namespace
This example shows specifying a particular Vault namespace for a given task.
<EnterpriseAlert />
```hcl
vault {
policies = ["frontend"]
namespace = "engineering/frontend"
change_mode = "signal"
change_signal = "SIGINT"
}
```
2020-02-06 23:45:31 +00:00
[restart]: /docs/job-specification/restart 'Nomad restart Job Specification'
[template]: /docs/job-specification/template 'Nomad template Job Specification'
[vault]: https://www.vaultproject.io/ 'Vault by HashiCorp'