luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-nomad/e2e/workload_id/input/identity.nomad
Charlie Voiselle cc6f4719f1
Add option to expose workload token to task (#15755) 
Add `identity` jobspec block to expose workload identity tokens to tasks.

---------

Co-authored-by: Anders <mail@anars.dk>
Co-authored-by: Tim Gross <tgross@hashicorp.com>
Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
2023-02-02 10:59:14 -08:00

103 lines
1.9 KiB
HCL
Raw Blame History

job "identity" {
datacenters = ["dc1"]
type = "batch"
constraint {
attribute = "${attr.kernel.name}"
value = "linux"
}
group "identity" {
# none task should log no secrets
task "none" {
driver = "docker"
config {
image = "bash:5"
args = ["-c", "wc -c < secrets/nomad_token; env | grep NOMAD_TOKEN; echo done"]
}
resources {
cpu = 16
memory = 32
disk = 64
}
}
# empty task should log no secrets
task "empty" {
identity {}
driver = "docker"
config {
image = "bash:5"
args = ["-c", "wc -c < secrets/nomad_token; env | grep NOMAD_TOKEN; echo done"]
}
resources {
cpu = 16
memory = 32
disk = 64
}
}
# env task should log only env var
task "env" {
identity {
env = true
file = false
}
driver = "docker"
config {
image = "bash:5"
args = ["-c", "wc -c < secrets/nomad_token; env | grep NOMAD_TOKEN; echo done"]
}
resources {
cpu = 16
memory = 32
disk = 64
}
}
# file task should log only env var
task "file" {
identity {
file = true
}
driver = "docker"
config {
image = "bash:5"
args = ["-c", "wc -c < secrets/nomad_token; env | grep NOMAD_TOKEN; echo done"]
}
resources {
cpu = 16
memory = 32
disk = 64
}
}
# falsey task should be the same as no identity block
task "falsey" {
identity {
env = false
file = false
}
driver = "docker"
config {
image = "bash:5"
args = ["-c", "wc -c < secrets/nomad_token; env | grep NOMAD_TOKEN; echo done"]
}
resources {
cpu = 16
memory = 32
disk = 64
}
}
}
}
Reference in a new issue View git blame Copy permalink