So nomad can read consul key/vals in project hcl files during nomad plan/validate/run.
( eg: template stanzas fetching {{ key "service-name/key-name" }} )
can nomad write/update consul key/vals?
For context, I’m wondering for situations where I am not in the nomad + consul cluster, and have NOMAD_ADDR and NOMAD_TOKEN (and can thus speak to the cluster w/ nomad – but don’t have any similar CONSUL variables (and let’s assume that I can’t for purposes of this question 
)
Thanks for any help!
Hi @traceypooh,
The Nomad template stanza uses the consul-template library for performing these actions and unfortunately it does not seem writing to Consul KV is supported. I would suggest raising the feature request against that repository so the owner team can provide better feedback on the request.
Thanks,
jrasell and the Nomad team
thanks @jrasell !
I wound up solving my particular issue (using consul instead of vault for secrets) via the following, FWIW:
NOMAD_SECRET_ (they’re all nicely protected and masked in GitLab) – and push them into a JSON-like hashmap string into an .env filenomad validate/plan/run
project.nomad file we use for our deployments, if NOMAD_SECRETS env var hashmap is set, add a 2nd task as lifecycle sidecar/prestart, that uses exec driver and runs /usr/bin/consul kv put ... hashmap string for that project’s deploytask in job spec simply then uses consul like normal to get the secrets and stuff them into a secrets/kv.env file, with env = true
easy, right? (hehe)
I modeled it after the GitLab + Kubernetes integration, carefully noting the exposure/risk was no worse than what they were up to.
Now we don’t have to sort out dual auto-unsealing vault clusters for our secrets for our entirely on-prem clusters 