Nomad Vars and usage and Audit

vikas.saroha · January 23, 2023, 10:21pm

Hi team,

We store app specific ENV vars in vault and use them in jobs via templates. Works very well. When Nomad 1.4 launched with vars inbuilt, I got really excited. As it would allow us to remove the Vault depencency. Still trying to figure out -

Do the Nomad vars have some kind of history associated with them. Like Vault has a versions, and you can easily see what changed between versions.
The docs are not very comprehensive about exposing the Nomad vars to all the jobs in a namespace. Right now it seems that the vars can be exposed per job/group/task basis. Our use case requires us to run multiple jobs in a namespace (which is a proxy for prod/staging etc…). Is there a way to share the same set of Vars with all the jobs in the Namespace without duplicating them per job. I tried attaching ACL policy with wildcard (*) in the path and then applying this policy to this namespace and a wild card as the job, but that doesn’t seem to work.

# policy-read.hcl
namespace "ns-1" {
  variables {
    path "*" {
      capabilities = ["read", "list"]
    }
  }
}

# attach this policy to NS and Jobs
nomad acl policy apply -namespace ns-1 -job "*" -description "allow var shared access" ns-var-read policy-read.hcl

Any help is much appreciated.

Thanks,
Vikas

vikas.saroha · February 1, 2023, 4:13am

Hi @jrasell and Nomad team, really appreciate if you can spare some thoughts on this.

Thank you in advance.

jrasell · February 3, 2023, 9:47am

Hi @vikas.saroha,

Do the Nomad vars have some kind of history associated with them. Like Vault has a versions, and you can easily see what changed between versions.

No, Nomad currently does not support this, however, it is a feature that we are open to discussing as a feature request. Would you mind opening a feature request against the Nomad repository and include any specific use cases you have?

Is there a way to share the same set of Vars with all the jobs in the Namespace without duplicating them per job.

I believe currently you will need to create an ACL policy which is then applied to each job you wish to have access to the variables. Do you have any suggestions on what could be added to the workload identity and variables concepts pages?

Thanks,
jrasell and the Nomad team