luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-nomad/nomad/structs
History
grembo 7936c1e33f
Add `disable_file` parameter to job's `vault` stanza (#13343) 
This complements the `env` parameter, so that the operator can author
tasks that don't share their Vault token with the workload when using 
`image` filesystem isolation. As a result, more powerful tokens can be used 
in a job definition, allowing it to use template stanzas to issue all kinds of 
secrets (database secrets, Vault tokens with very specific policies, etc.), 
without sharing that issuing power with the task itself.

This is accomplished by creating a directory called `private` within
the task's working directory, which shares many properties of
the `secrets` directory (tmpfs where possible, not accessible by
`nomad alloc fs` or Nomad's web UI), but isn't mounted into/bound to the
container.

If the `disable_file` parameter is set to `false` (its default), the Vault token
is also written to the NOMAD_SECRETS_DIR, so the default behavior is
backwards compatible. Even if the operator never changes the default,
they will still benefit from the improved behavior of Nomad never reading
the token back in from that - potentially altered - location.
 		2023-06-23 15:15:04 -04:00
..
config compliance: add headers with fixed copywrite tool (#17353) 2023-05-30 09:20:32 -05:00
acl.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
acl_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
alloc.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
alloc_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
autopilot.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
batch_future.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
batch_future_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
bitmap.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
bitmap_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
check_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
checks.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
connect.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
connect_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul_oss_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
csi.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
csi_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
devices.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
devices_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
diff.go fix host port handling for ipv6 (#16723) 2023-04-20 19:53:20 -07:00
diff_test.go Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
encoding.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
errors.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
errors_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
eval.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
event.go node pools: add event stream support (#17412) 2023-06-06 10:14:47 -04:00
extensions.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
funcs.go core: use faster concatenation for alloc name generation. (#17591) 2023-06-22 07:46:28 +01:00
funcs_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
generate.sh Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
handlers.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
job.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
job_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
keyring.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
network.go scheduler: tolerate having only one dynamic port available (#17619) 2023-06-20 13:29:25 -04:00
network_test.go scheduler: tolerate having only one dynamic port available (#17619) 2023-06-20 13:29:25 -04:00
node.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
node_class.go node pools: register a node in a node pool (#17405) 2023-06-02 17:50:50 -04:00
node_class_test.go node pools: register a node in a node pool (#17405) 2023-06-02 17:50:50 -04:00
node_pool.go node pools: apply node pool scheduler configuration (#17598) 2023-06-21 20:31:50 -04:00
node_pool_oss.go chore: fix typo and copyright header (#17605) 2023-06-20 10:09:47 -04:00
node_pool_oss_test.go chore: fix typo and copyright header (#17605) 2023-06-20 10:09:47 -04:00
node_pool_test.go node pools: apply node pool scheduler configuration (#17598) 2023-06-21 20:31:50 -04:00
node_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
operator.go node pools: apply node pool scheduler configuration (#17598) 2023-06-21 20:31:50 -04:00
operator_test.go node pools: apply node pool scheduler configuration (#17598) 2023-06-21 20:31:50 -04:00
search.go node pool: add search support (#17385) 2023-06-01 17:48:14 -04:00
service_identities.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
service_registration.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
service_registration_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
services.go check: Add support for Consul field tls_server_name (#17334) 2023-06-02 10:19:12 -04:00
services_test.go check: Add support for Consul field tls_server_name (#17334) 2023-06-02 10:19:12 -04:00
streaming_rpc.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
structs.go Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
structs_codegen.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
structs_oss.go node pools: namespace integration (#17562) 2023-06-16 16:30:22 -04:00
structs_oss_test.go node pools: namespace integration (#17562) 2023-06-16 16:30:22 -04:00
structs_periodic_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
structs_test.go node pools: namespace integration (#17562) 2023-06-16 16:30:22 -04:00
testing.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
uuid.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
variables.go variable: fixup metadata copy comment and remove unrequired type. (#17234) 2023-05-18 13:49:41 +01:00
variables_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
vault.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
volume_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
volumes.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
workload_id.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
workload_id_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00