package vaultcompat import ( "github.com/hashicorp/nomad/api" "github.com/hashicorp/nomad/helper" ) const ( // policy is the recommended Nomad Vault policy policy = `path "auth/token/create/nomad-cluster" { capabilities = ["update"] } path "auth/token/roles/nomad-cluster" { capabilities = ["read"] } path "auth/token/lookup-self" { capabilities = ["read"] } path "auth/token/lookup" { capabilities = ["update"] } path "auth/token/revoke-accessor" { capabilities = ["update"] } path "sys/capabilities-self" { capabilities = ["update"] } path "auth/token/renew-self" { capabilities = ["update"] }` ) var ( // role is the recommended nomad cluster role role = map[string]interface{}{ "disallowed_policies": "nomad-server", "explicit_max_ttl": 0, // use old name for vault compatibility "name": "nomad-cluster", "orphan": false, "period": 259200, // use old name for vault compatibility "renewable": true, } // job is a test job that is used to request a Vault token and cat the token // out before exiting. job = &api.Job{ ID: helper.StringToPtr("test"), Type: helper.StringToPtr("batch"), Datacenters: []string{"dc1"}, TaskGroups: []*api.TaskGroup{ { Name: helper.StringToPtr("test"), Tasks: []*api.Task{ { Name: "test", Driver: "raw_exec", Config: map[string]interface{}{ "command": "cat", "args": []string{"${NOMAD_SECRETS_DIR}/vault_token"}, }, Vault: &api.Vault{ Policies: []string{"default"}, }, }, }, RestartPolicy: &api.RestartPolicy{ Attempts: helper.IntToPtr(0), Mode: helper.StringToPtr("fail"), }, }, }, } )