Starting from UID/GID ownership of template output in NOMAD_SECRETS_DIR for Postgres - #6 by harningt I’ve decided that I’ll risk my setup and use writeToFile in Nomad’s variant of consul-template to do PKI (I need split key/cert and for them to have specific permissions w/o re-render problems…)
However I have 2 problems:
- writeToFile does not honor the sandbox paths (feels like an easy patch to consul-template)
- (most important) writeToFile starts w/ base dir at root. Ex:
writeToFile "secret/key.pem"results in a file+directory on the client machine being created at the top level.
This feels quite jarring from where you can set an output path for the template and be certain it’ll end up in the right place. Also tried was "./secret/key.pem" in case there was special handling like some tools do with paths. I also tried (not expecting success) to do a printf in the path string setup to get the NOMAD_SECRETS_DIR env var to be used - but as expected - the variable reflects what it should be from the context of the task environment.
I am suspecting that the relative start path for writeToFile in nomad should be reflected on the “root” of whatever task environment there is so that at least if sandboxing is not working for writeToFile… you’d have to at least use an absolute path or relative path with .. in it to break out.
Now… besides what seems to be broken and needs a patch- has anyone solved using writeToFile for Nomad templates? Has anyone gotten PKI cert+key written in a way w/o re-rendering issues or having to resort to a script to extract the key data for consumption?