I have a secret which my application consumes via environment variable, but as far as the application is concerned, it is ok if the secret is not provided and it will behave accordingly. Unfortunately, if the secret is not set in vault, my nomad job won’t start. I’m currently setting the variable via a template like this:
MY_OPTIONAL_SECRET = “{{- with secret “secret/my/optional/key” }}{{.Data.value}}{{- end}}”
I can’t find anything in the documentation about if it’s possible to tell nomad not to complain if that secret key does not exist; is there a way that I’m not finding to just use an empty string if there’s nothing in the vault?
The Nomad template block uses consul-template internally to perform the rendering and API calls. The documentation on the secret function includes the following which I believe would help solve you problem:
You can also guard against empty values using if or with blocks.
Specifically as you mention the use of an empty string I believe the following code example would be suited:
{{ with secret "secret/my/optional/key"}}
{{ if .Data.value }}
MY_OPTIONAL_SECRET = "{{ .Data.value }}"
{{ else }}
MY_OPTIONAL_SECRET = ""
{{ end }}
{{ end }}
but thanks for the link to the function documentation I was having trouble finding that. Now that I have that I think I might be able to use the secrets function to iterate over secrets in the path of interest and if the key matches with the one I want then do stuff; if nothing matches it won’t do anything. I’ll post back here if I get that to work.
That did work (although I did not test what happens if the root path doesn’t exist):
Plus {{ range secrets "secret/my/optional/" }}
{{ if ( eq . "key" ) }}
MY_OPTIONAL_SECRET="{{- with secret "secret/my/optional/key" }}{{.Data.value}}{{- end}}"
{{ end }}
{{ end }}