Interpolating env IP_ADDRESS into certificate ip_sans value

I am trying to have a nice reusable consul-template I can use for all my Nomad client certificates. I would like to have the certificate include the bound host IP of the node included in the ip_sans value. I’m hoping for something like:

{{ with secret "pki_int/issue/nomad-cluster"
  "common_name=client.global.nomad"
  "alt_names=localhost, client.global.nomad, *.home, *.home.consul, *.home.nomad, *.node.consul, *.service.consul"
  "ip_sans=127.0.0.1,$(env IP_ADDRESS)"
  "ttl=720h"
}}{{ .Data.certificate }}{{ end }}

I know that $(env IP_ADDRESS) syntax is incorrect, but I’m trying to figure out what pattern I can use inside the parameters of a block. I presume if I new more Golang, I could intuit something together, but I am a simple padawan and couldn’t find the exact example I needed in the consul-template docs.

Has anyone done this who can share an explanation around how to proceed?

Thanks in advance,
Sam

After fussing about a bit and diving into some docs, I was able to figure it out.

Here’s the template I was finally able to get to render:

{{ with $ip_address := ( sockaddr "GetPrivateIP" ) }}
{{ with secret "pki_int/issue/agent-cluster" "common_name=client.global.nomad" "alt_names=localhost,nomad-client.service.consul" (printf "ip_sans=127.0.0.1,%s" $ip_address) "ttl=720h"}}{{ .Data.certificate }}{{ end }}
{{ end }}
2 Likes