The template stanza is very useful for many of the jobs my team and I run. The restart and signal modes help a lot for some of our workloads. However, I’ve also used Vault Agent which will run a command after a new secret is rendered from Vault, assuming there is an expiry for that secret. Is there any way to do this in Nomad for a re-rendered template (whether it be for secrets, or for service discovery w/Consul)? If this isn’t possible, I’m considering opening a feature request for this.
Hi @paladin-devops, this is not currently possible. I’d be curious to understand the specific requirement(s) you have to identify is this is currently possible in some other manner to achieve this goal?
Thanks,
jrasell and the Nomad team
Hi @jrasell, thanks for checking in so soon. The specific use case I have here is Zookeeper and its dynamic config file.
https://zookeeper.apache.org/doc/r3.5.3-beta/zookeeperReconfig.html
I have working template which correctly populates the dynamic config file by referring to Consul for metadata about the Nomad job’s own Zookeeper service, but that file does not take effect for the running Zookeeper process without running the reconfig command, which is required for multiple changes to take effect. The observed behavior is that ZK will continue to log <no_server> in its dynamic config file if that was the state of the file when it first came online, even after the template re-rendered later.
I’ve seen implementations where the Docker container for the given application (in this case, Zookeeper) is written to perform such an action when it receives a signal (like SIGUSR1). However, adding a command option after a re-render could simplify this and remove the need for container customization.