Passing Nomad ACL token to traefik job via job specification

cmwhite92 · January 10, 2024, 5:34am

I have a cluster set up with ACL enabled. I also have a traefik job that looks like this (redacted some parts for brevity):

job "traefik" {
  group "traefik" {
    service {
      name = "traefik"
      provider = "nomad"
    }

    task "traefik" {
      driver = "docker"

      config {
        image = "traefik:v2.10.7"
        network_mode = "host"
        args = [
          "--api.dashboard=true",
          "--api.insecure=true",
          "--entrypoints.web.address=:${NOMAD_PORT_http}",
          "--entrypoints.traefik.address=:${NOMAD_PORT_admin}",
          "--providers.nomad=true",
          "--providers.nomad.exposedByDefault=false",
          "--providers.nomad.endpoint.address=http://10.0.0.3:4646/",
          "--providers.nomad.endpoint.token=<token>"
        ]
      }
    }
  }
}

Since my cluster has ACL enabled, Traefik needs a Nomad token to do service discovery. I made a new token for Traefik to use and added it as a variable with the path nomad/jobs/traefik and the name NOMAD_TOKEN.

When I hard-code this token into traefik’s jobspec, everything works great. But I’m not sure how to grab this Nomad variable and insert it into --providers.nomad.endpoint.token when I submit my job.

I think I might need to use a template block, but I’m not sure how to use a template block to add to the args array?

jrasell · January 10, 2024, 8:01am

Hi @cmwhite92,

What version of Nomad are you running? We recently introduced the workload identities feature which means each running allocation receives a default identity which can be used to authentication against the Nomad API.

In the case of Traefik, you can add the following identity block to your task specification. This will export a NOMAD_TOKEN environment variable within the task environment which has permissions granted by the workload identity. This will be read by Traefik when building the Nomad client and allow API connectivity.

identity {
  env           = true
  change_mode   = "restart"
}

Thanks,
jrasell and the Nomad team

cmwhite92 · January 10, 2024, 2:43pm

Hey @jrasell,

I’m on the latest version and so was able to use that identity block to have traefik authenticate with Nomad. That’s a really convenient way to do it, thank you!

And side note thanks for everybody’s work on Nomad. It’s a real pleasure to use.