Nomad template writeToFile issue

Starting from UID/GID ownership of template output in NOMAD_SECRETS_DIR for Postgres - #6 by harningt I’ve decided that I’ll risk my setup and use writeToFile in Nomad’s variant of consul-template to do PKI (I need split key/cert and for them to have specific permissions w/o re-render problems…)

However I have 2 problems:

  • writeToFile does not honor the sandbox paths (feels like an easy patch to consul-template)
  • (most important) writeToFile starts w/ base dir at root. Ex: writeToFile "secret/key.pem" results in a file+directory on the client machine being created at the top level.

This feels quite jarring from where you can set an output path for the template and be certain it’ll end up in the right place. Also tried was "./secret/key.pem" in case there was special handling like some tools do with paths. I also tried (not expecting success) to do a printf in the path string setup to get the NOMAD_SECRETS_DIR env var to be used - but as expected - the variable reflects what it should be from the context of the task environment.

I am suspecting that the relative start path for writeToFile in nomad should be reflected on the “root” of whatever task environment there is so that at least if sandboxing is not working for writeToFile… you’d have to at least use an absolute path or relative path with .. in it to break out.

Now… besides what seems to be broken and needs a patch- has anyone solved using writeToFile for Nomad templates? Has anyone gotten PKI cert+key written in a way w/o re-rendering issues or having to resort to a script to extract the key data for consumption?

These are both fixable [1] in the long run but will take a bit of time to get patched then have the dependency updated in Nomad. As long as you can work around things in the meantime we can get this stuff fixed up for a better future.

If you’d consider filing issues for both these features in github I’d greatly appreciate it. If you’d like to work on them as PRs instead I’ll happily review them. If not I’ll definitely take a look at them for the next release as I’m pretty sure they are both fairly straightforward and will be easy to add.

[1] The path restriction should be very easy using the same basic code from the file function. The relative path handling should be possible as well as I’ve done similar things before where you convert relative paths to absolute paths (using path/filepath Abs and Clean) first.