Is there a way to automatically share the Encryption key?


I was just wondering if there’s a way to share the Encrypt key down to the non-bootstrap servers.

# Server & Raft configuration
server {
  enabled          = true
  bootstrap_expect = $BOOTSTRAP_EXPECT
  **# encrypt          = "$ENCRYPT_NOMAD_KEY"   THIS KEY**

  server_join {
   retry_join = ["provider=digitalocean tag_name=... tag_value=...  api_token="]
  default_scheduler_config { 
    scheduler_algorithm = "spread" # change from default of binpack

Yes. With a configuration management tool. We use ansible to write out configuration files, and ansible gets this value from Vault’s K/V store.

Alternatively you could use consul-template to do something similar.


I ended up using consul KV along with consul-template tool. Thanks!