open-nomad/website/content/docs/concepts
grembo 7936c1e33f
Add disable_file parameter to job's vault stanza (#13343)
This complements the `env` parameter, so that the operator can author
tasks that don't share their Vault token with the workload when using 
`image` filesystem isolation. As a result, more powerful tokens can be used 
in a job definition, allowing it to use template stanzas to issue all kinds of 
secrets (database secrets, Vault tokens with very specific policies, etc.), 
without sharing that issuing power with the task itself.

This is accomplished by creating a directory called `private` within
the task's working directory, which shares many properties of
the `secrets` directory (tmpfs where possible, not accessible by
`nomad alloc fs` or Nomad's web UI), but isn't mounted into/bound to the
container.

If the `disable_file` parameter is set to `false` (its default), the Vault token
is also written to the NOMAD_SECRETS_DIR, so the default behavior is
backwards compatible. Even if the operator never changes the default,
they will still benefit from the improved behavior of Nomad never reading
the token back in from that - potentially altered - location.
2023-06-23 15:15:04 -04:00
..
plugins
scheduling
acl.mdx docs: corrections and additional information for OIDC-related concepts (#17470) 2023-06-09 16:50:22 +02:00
architecture.mdx
consensus.mdx
filesystem.mdx Add disable_file parameter to job's vault stanza (#13343) 2023-06-23 15:15:04 -04:00
gossip.mdx
index.mdx
security.mdx
variables.mdx
workload-identity.mdx