diff --git a/client/vaultclient/vaultclient.go b/client/vaultclient/vaultclient.go index 5512882e9..5bebbd883 100644 --- a/client/vaultclient/vaultclient.go +++ b/client/vaultclient/vaultclient.go @@ -165,6 +165,7 @@ func NewVaultClient(config *config.VaultConfig, logger hclog.Logger, tokenDerive // SetHeaders above will replace all headers, make this call second if config.Namespace != "" { + logger.Debug("configuring Vault namespace", "namespace", config.Namespace) client.SetNamespace(config.Namespace) } diff --git a/command/agent/command.go b/command/agent/command.go index 1ac133e53..d30958a5b 100644 --- a/command/agent/command.go +++ b/command/agent/command.go @@ -261,6 +261,13 @@ func (c *Command) readConfig() *Config { } } + // Check to see if we should read the Vault namespace from the environment + if config.Vault.Namespace == "" { + if ns, ok := os.LookupEnv("VAULT_NAMESPACE"); ok { + config.Vault.Namespace = ns + } + } + // Default the plugin directory to be under that of the data directory if it // isn't explicitly specified. if config.PluginDir == "" && config.DataDir != "" { diff --git a/nomad/vault.go b/nomad/vault.go index f2915345b..ed71c5e4e 100644 --- a/nomad/vault.go +++ b/nomad/vault.go @@ -254,7 +254,7 @@ func NewVaultClient(c *config.VaultConfig, logger log.Logger, purgeFn PurgeVault } if c.Namespace != "" { - logger.Debug("Setting Vault namespace", "namespace", c.Namespace) + logger.Debug("configuring Vault namespace", "namespace", c.Namespace) v.client.SetNamespace(c.Namespace) } diff --git a/website/source/docs/commands/agent.html.md.erb b/website/source/docs/commands/agent.html.md.erb index 474ec7f14..f2a251975 100644 --- a/website/source/docs/commands/agent.html.md.erb +++ b/website/source/docs/commands/agent.html.md.erb @@ -101,6 +101,9 @@ via CLI arguments. The `agent` command accepts the following arguments: integration. * `vault-cert-file=`: The path to the certificate for Vault communication. * `vault-key-file=`: The path to the private key for Vault communication. +* `vault-namespace=`: The Vault namespace used for the integration. + Required for servers and clients. Overrides the Vault namespace read from the + VAULT_NAMESPACE environment variable. * `vault-tls-skip-verify`: A boolean that determines whether to skip SSL certificate verification. * `vault-tls-server-name=`: Used to set the SNI host when connecting to diff --git a/website/source/guides/operations/vault-integration/index.html.md b/website/source/guides/operations/vault-integration/index.html.md index c6783018e..160eeef66 100644 --- a/website/source/guides/operations/vault-integration/index.html.md +++ b/website/source/guides/operations/vault-integration/index.html.md @@ -261,9 +261,12 @@ Nomad Server's configuration file located at `/etc/nomad.d/nomad.hcl`. Provide the token you generated in the previous step in the `vault` stanza of your Nomad server configuration. The token can also be provided as an environment variable called `VAULT_TOKEN`. Be sure to specify the `nomad-cluster-role` in the -[create_from_role][create-from-role] option. After following these steps and -enabling Vault, the `vault` stanza in your Nomad server configuration will be -similar to what is shown below: +[create_from_role][create-from-role] option. If using +[Vault Namespaces](https://www.vaultproject.io/docs/enterprise/namespaces/index.html), +modify both the client and server configuration to include the namespace; +alternatively, it can be provided in the environment variable `VAULT_NAMESPACE`. +After following these steps and enabling Vault, the `vault` stanza in your Nomad +server configuration will be similar to what is shown below: ```hcl vault { @@ -272,6 +275,7 @@ vault { task_token_ttl = "1h" create_from_role = "nomad-cluster" token = "" + namespace = "" } ```