I want to write the bcrypt version of a vault secret into a file via a template in a Nomad job.
A snippet from my job:
template {
data = <<-EOF
working: ${bcrypt("test")}
failing:{{ with secret "secret/environments/data/myscecret" }}{{ bcrypt(.Data.data.admin_dashboard_password) }}{{ end }}
EOF
destination = "secrets/admin_dashboard.users"
}
When calling the bcrypt function (or any other function) from within double curly braces I get the message that the function is not defined. Both in the above form or with a pipeline.
Is it at all possible to do an operation on a secret or should I encrypt the password outside of the jobfile?
The first example bcrypt function is a HCL job specification function which means it will be executed on the local machine where the nomad job run command is triggered. It uses the ${}style syntax and will be writing the result of the function execution as a string to the job specification before the job is submitted to the Nomad API.
The failing example is using consul-template syntax and therefore is executed once the allocation has been placed on a Nomad client. These templates are opaque to Nomad and are rendered by an internal template runner that utilises consul-template. The available consul-template functions do not include a bcrypt function unfortunately, however, it would be possible to use defined functions in the way you describe.
Note: It seems that the consul-template docs are not entirely correct. They mention that I can use any function from the sprig lib (which also contains a bcrypt function ). However, the sprig_bcrypt method didn’t work. Turns out only sprig 2.22.0 is merged, which has way less functions available. Maybe the docs should link to the correct version of sprig