docs: -vault-namespace, VAULT_NAMESPACE, and config

agent: added VAULT_NAMESPACE env-based configuration
2019-04-05 01:16:51 +00:00 · 2019-04-05 01:16:51 +00:00 · a26d4fe1e5
parent 170f5239c8
commit a26d4fe1e5
5 changed files with 19 additions and 4 deletions
--- a/client/vaultclient/vaultclient.go
+++ b/client/vaultclient/vaultclient.go
@ -165,6 +165,7 @@ func NewVaultClient(config *config.VaultConfig, logger hclog.Logger, tokenDerive

 	// SetHeaders above will replace all headers, make this call second
 	if config.Namespace != "" {
+		logger.Debug("configuring Vault namespace", "namespace", config.Namespace)
 		client.SetNamespace(config.Namespace)
 	}

--- a/command/agent/command.go
+++ b/command/agent/command.go
@ -261,6 +261,13 @@ func (c *Command) readConfig() *Config {
 		}
 	}

+	// Check to see if we should read the Vault namespace from the environment
+	if config.Vault.Namespace == "" {
+		if ns, ok := os.LookupEnv("VAULT_NAMESPACE"); ok {
+			config.Vault.Namespace = ns
+		}
+	}
+
 	// Default the plugin directory to be under that of the data directory if it
 	// isn't explicitly specified.
 	if config.PluginDir == "" && config.DataDir != "" {
--- a/nomad/vault.go
+++ b/nomad/vault.go
@ -254,7 +254,7 @@ func NewVaultClient(c *config.VaultConfig, logger log.Logger, purgeFn PurgeVault
 		}

 		if c.Namespace != "" {
-			logger.Debug("Setting Vault namespace", "namespace", c.Namespace)
+			logger.Debug("configuring Vault namespace", "namespace", c.Namespace)
 			v.client.SetNamespace(c.Namespace)
 		}

--- a/website/source/docs/commands/agent.html.md.erb
+++ b/website/source/docs/commands/agent.html.md.erb
@ -101,6 +101,9 @@ via CLI arguments. The `agent` command accepts the following arguments:
  integration.
 * `vault-cert-file=<path>`: The path to the certificate for Vault communication.
 * `vault-key-file=<path>`: The path to the private key for Vault communication.
+* `vault-namespace=<namespace>`: The Vault namespace used for the integration. 
+  Required for servers and clients. Overrides the Vault namespace read from the 
+  VAULT_NAMESPACE environment variable.  
 * `vault-tls-skip-verify`: A boolean that determines whether to skip SSL
  certificate verification.
 * `vault-tls-server-name=<name>`: Used to set the SNI host when connecting to
--- a/website/source/guides/operations/vault-integration/index.html.md
+++ b/website/source/guides/operations/vault-integration/index.html.md
@ -261,9 +261,12 @@ Nomad Server's configuration file located at `/etc/nomad.d/nomad.hcl`. Provide
 the token you generated in the previous step in the `vault` stanza of your Nomad
 server configuration. The token can also be provided as an environment variable
 called `VAULT_TOKEN`. Be sure to specify the `nomad-cluster-role` in the
-[create_from_role][create-from-role] option. After following these steps and
-enabling Vault, the `vault` stanza in your Nomad server configuration will be
-similar to what is shown below:
+[create_from_role][create-from-role] option. If using 
+[Vault Namespaces](https://www.vaultproject.io/docs/enterprise/namespaces/index.html), 
+modify both the client and server configuration to include the namespace; 
+alternatively, it can be provided in the environment variable `VAULT_NAMESPACE`. 
+After following these steps and enabling Vault, the `vault` stanza in your Nomad 
+server configuration will be similar to what is shown below:

 ```hcl
 vault {
@ -272,6 +275,7 @@ vault {
  task_token_ttl = "1h"
  create_from_role = "nomad-cluster"
  token = "<your nomad server token>"
+  namespace = "<vault namespace for the cluster>"
 }
 ```