open-nomad/nomad
grembo 7936c1e33f
Add `disable_file` parameter to job's `vault` stanza (#13343)
This complements the `env` parameter, so that the operator can author
tasks that don't share their Vault token with the workload when using 
`image` filesystem isolation. As a result, more powerful tokens can be used 
in a job definition, allowing it to use template stanzas to issue all kinds of 
secrets (database secrets, Vault tokens with very specific policies, etc.), 
without sharing that issuing power with the task itself.

This is accomplished by creating a directory called `private` within
the task's working directory, which shares many properties of
the `secrets` directory (tmpfs where possible, not accessible by
`nomad alloc fs` or Nomad's web UI), but isn't mounted into/bound to the
container.

If the `disable_file` parameter is set to `false` (its default), the Vault token
is also written to the NOMAD_SECRETS_DIR, so the default behavior is
backwards compatible. Even if the operator never changes the default,
they will still benefit from the improved behavior of Nomad never reading
the token back in from that - potentially altered - location.
2023-06-23 15:15:04 -04:00
..
deploymentwatcher api: enable support for setting original job source (#16763) 2023-04-11 08:45:08 -05:00
drainer drain: use client status to determine drain is complete (#14348) 2023-04-13 08:55:28 -04:00
mock test: add MultiregionMinJob mock (#17614) 2023-06-20 10:57:02 -04:00
state variables: remove unused state store functions. (#17660) 2023-06-22 13:54:58 +01:00
stream node pools: add event stream support (#17412) 2023-06-06 10:14:47 -04:00
structs Add `disable_file` parameter to job's `vault` stanza (#13343) 2023-06-23 15:15:04 -04:00
volumewatcher api: enable support for setting original job source (#16763) 2023-04-11 08:45:08 -05:00
acl.go client: send node secret with every client-to-server RPC (#16799) 2023-06-22 11:06:49 -04:00
acl_endpoint.go refactor acl.UpsertTokens to avoid unnecessary RPC calls. (#17194) 2023-05-16 09:31:51 +02:00
acl_endpoint_test.go dep: update from jwt/v4 to jwt/v5 (#17062) 2023-05-03 11:17:38 -07:00
acl_test.go cli: tls certs not created with correct SANs (#16959) 2023-05-22 09:31:56 -04:00
alloc_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
alloc_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
autopilot.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
autopilot_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
autopilot_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
blocked_evals.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
blocked_evals_stats.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
blocked_evals_stats_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
blocked_evals_system.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
blocked_evals_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
client_agent_endpoint.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
client_agent_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
client_alloc_endpoint.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
client_alloc_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
client_csi_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
client_csi_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
client_fs_endpoint.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
client_fs_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
client_meta_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
client_meta_endpoint_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
client_rpc.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
client_rpc_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
client_stats_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
client_stats_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
config.go api: enable support for setting original job source (#16763) 2023-04-11 08:45:08 -05:00
consul.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul_oss_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul_policy.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul_policy_oss_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul_policy_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
consul_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
core_sched.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
core_sched_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
csi_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
csi_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
deployment_endpoint.go Deployment Status Command Does Not Respect -namespace Wildcard (#16792) 2023-04-12 11:02:14 +02:00
deployment_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
deployment_watcher_shims.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
drainer_int_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
drainer_shims.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
encrypter.go dep: update from jwt/v4 to jwt/v5 (#17062) 2023-05-03 11:17:38 -07:00
encrypter_test.go dep: update from jwt/v4 to jwt/v5 (#17062) 2023-05-03 11:17:38 -07:00
endpoints_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
eval_broker.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
eval_broker_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
eval_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
eval_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
event_endpoint.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
event_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
fsm.go node pool: node pool upsert on multiregion node register (#17503) 2023-06-13 11:28:28 -04:00
fsm_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
fsm_registry_oss.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
fsm_test.go node pool: node pool upsert on multiregion node register (#17503) 2023-06-13 11:28:28 -04:00
heartbeat.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
heartbeat_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
job_endpoint.go node pools: validate pool exists on job registration (#17386) 2023-06-02 09:32:07 -04:00
job_endpoint_hook_connect.go connect: use heuristic to detect sidecar task driver (#17065) 2023-05-05 10:19:30 -05:00
job_endpoint_hook_connect_test.go connect: use heuristic to detect sidecar task driver (#17065) 2023-05-05 10:19:30 -05:00
job_endpoint_hook_expose_check.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
job_endpoint_hook_expose_check_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
job_endpoint_hook_node_pool.go node pools: validate pool exists on job registration (#17386) 2023-06-02 09:32:07 -04:00
job_endpoint_hook_node_pool_oss.go node pools: namespace integration (#17562) 2023-06-16 16:30:22 -04:00
job_endpoint_hook_vault.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
job_endpoint_hook_vault_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
job_endpoint_hooks.go node pools: apply node pool scheduler configuration (#17598) 2023-06-21 20:31:50 -04:00
job_endpoint_hooks_test.go node pools: namespace integration (#17562) 2023-06-16 16:30:22 -04:00
job_endpoint_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
job_endpoint_oss_test.go node pools: namespace integration (#17562) 2023-06-16 16:30:22 -04:00
job_endpoint_test.go node pools: apply node pool scheduler configuration (#17598) 2023-06-21 20:31:50 -04:00
job_endpoint_validators.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
job_endpoint_validators_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
keyring_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
keyring_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
leader.go node pools: replicate from authoritative region (#17456) 2023-06-12 13:24:24 -04:00
leader_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
leader_test.go node pools: replicate from authoritative region (#17456) 2023-06-12 13:24:24 -04:00
license_config.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
license_config_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
merge.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
namespace_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
namespace_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
node_endpoint.go rpc: fix log message in Node.UpdateStatus (#17537) 2023-06-14 16:51:46 -04:00
node_endpoint_test.go node pool: node pool upsert on multiregion node register (#17503) 2023-06-13 11:28:28 -04:00
node_pool_endpoint.go np: check for license on RPC endpoints (#17656) 2023-06-22 12:52:20 -04:00
node_pool_endpoint_oss.go np: check for license on RPC endpoints (#17656) 2023-06-22 12:52:20 -04:00
node_pool_endpoint_test.go node pools: namespace integration (#17562) 2023-06-16 16:30:22 -04:00
operator_endpoint.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
operator_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
periodic.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
periodic_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
periodic_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
periodic_test.go api: enable support for setting original job source (#16763) 2023-04-11 08:45:08 -05:00
plan_apply.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_apply_node_tracker.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_apply_node_tracker_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_apply_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_apply_pool.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_apply_pool_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_apply_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
plan_normalization_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
plan_queue.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
plan_queue_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
raft_rpc.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
regions_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
regions_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
rpc.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
rpc_rate_metrics.go core: ensure all Server receiver names are consistent. (#16859) 2023-04-12 14:03:07 +01:00
rpc_test.go cli: tls certs not created with correct SANs (#16959) 2023-05-22 09:31:56 -04:00
scaling_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
scaling_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
search_endpoint.go np: fix node pool search permission check (#17400) 2023-06-02 12:22:47 -04:00
search_endpoint_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
search_endpoint_test.go np: fix node pool search permission check (#17400) 2023-06-02 12:22:47 -04:00
serf.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
serf_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
server.go server: remove unused endpoints struct. (#17665) 2023-06-23 08:20:33 +01:00
server_setup_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
server_test.go cli: tls certs not created with correct SANs (#16959) 2023-05-22 09:31:56 -04:00
service_registration_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
service_registration_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
stats_fetcher.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
stats_fetcher_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
status_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
status_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
system_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
system_endpoint_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
testing.go api: enable support for setting original job source (#16763) 2023-04-11 08:45:08 -05:00
testing_oss.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
timetable.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
timetable_test.go Revert "hashicorp/go-msgpack v2 (#16810)" (#17047) 2023-05-01 17:18:34 -04:00
util.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
util_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
variables_endpoint.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
variables_endpoint_test.go allow periodic jobs to use workload identity ACL policies (#17018) 2023-05-22 09:19:16 -04:00
vault.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
vault_test.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
vault_testing.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
worker.go [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
worker_string_schedulerworkerstatus.go Make number of scheduler workers reloadable (#11593) 2022-01-06 11:56:13 -05:00
worker_string_workerstatus.go Make number of scheduler workers reloadable (#11593) 2022-01-06 11:56:13 -05:00
worker_test.go api: enable support for setting original job source (#16763) 2023-04-11 08:45:08 -05:00