Hi,
I like to introduce a small project of mine:
A Nomad Admission Control Proxy
The idea is based on this Issue and Nomad’s Internal Admission Controller
The proxy can mutate and validate Nomad requests that contain job data like plan, register, and validate.
Currently it provides an embedded OPA processor as well as a webhook option.
For validation this means you can verify for example if a job contains required meta data or follows certain naming conventions.
For the mutation part the builtin OPA mutator expects JSONPatch operations that will be applied to the jobs json representation.
Although it is a very early version, I’m quite happy with the result. Some proof-of-concept mutators I built and am a little bit excited about:
-
Postgres Env Template Injection: A task marked with
... task "myapp" { meta { postgres = "native" }will be updated with a vault policy and a template block that renders the native postgres clients
PG...environment variables likePGUSER,PGPASSWORDetc -
OAuth2 Proxy Injection: A TaskGroup with a service marked with
group "myapp" { meta { secure = "web" } ... service { name = "web" ... }will get OAuth2-Proxy sidecar which will take the name of the service and forwards only authorized request to the upstream service.
Another idea I had but not yet test was to build a notary validator that checks if the specified container images are signed and approved before the deployment.
Looking forward to some ideas and feedback on how to further extend it or if this doesn’t make sense at all 
