Integration problem with nomad and vault

Hi,

I’m trying to put up some proof-of-concept to use hashicorp products within our company’s environment. Unfortunately I’m still a beginner in running nomad and vault and just got stuck for now. Hopefully somebody can give me a hint of what’s missing or wrong in my setup.

I’m running a nomad dev agent with version v0.11.3, consul dev agent v1.8.0 and vault server v1.5.0.
Setting up vault worked fine, I use consul as storage backend and I’m able to log in to vault’s web ui and also use vault CLI with the VAULT_ADDR environment variable set.

vault config:

listener "tcp" {
  address       = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable   = 1
}

storage "consul" {
  address = "<xxx.xx.xx.xx>:8500"
  path = "vault/"
}

ui = true

the vault section in my nomad.hcl file:

...
vault {
  enabled = true
  address = "http://<xxx.xx.xx.xx>:8200"
  token       = "<xyz>"
}
...

When I try to schedule a nomad job using vault secrets the container won’t start up because nomad is not able to fill out the secrets portion of the job file.

Looking at the nomad logs it seems that my address settings in nomad.hcl are ignored.

Log output:

2020/08/24 14:40:27.421720 [WARN] (view) vault.read(kv/test): vault.read(kv/test): Get "https://127.0.0.1:8200/v1/kv/test": http: server gave HTTP response to HTTPS client (retry attempt 5 after "4s")

I’m not sure were the 127.0.0.1 Url and https protocol come from and how I could overwrite them. I know when using the CLI I have to provide the VAULT_ADDR variable but I assumed nomad gets the necessary information from the vault stanza.

Thanks in advance for any hints how to get this working!

Hey there,

Can you share your nomad.hcl file? Did you bootstrap the ACL engine? This is required before Nomad and Vault can work.

acl { enabled = true }

You can read about the ACL system from the docs or from Learn

2 Likes