UID/GID ownership of template output in NOMAD_SECRETS_DIR for Postgres

I am running the “offical” Postgres container on Nomad (using the Docker driver) and provisioning a PKI keypair from Vault via a template stanza. The issue I have is that the Postgres container runs as a specified user with uid 999/gid 999 and it isn’t in the root group. Postgres requires file mode 0600 or 0640 for its SSL key. I’d like to have it in NOMAD_SECRETS_DIR and somehow change the ownership.

Here’s a representative example of the template for generating the key:

template {
        destination = local.postgres_key_path
        perms       = "0600"  # -rw------- 1 root root
        data        = <<EOF
{{- with secret "pki/issue/postgres" "common_name=postgres.service.consul" "format=pem" -}}
{{ .Data.private_key }}
{{- end -}}
EOF
}

I’d prefer not to run Postgres as root or run a privileged container. Is it possible to change the ownership of a secret to make Postgres happy? Or is there some other solution I’m missing?

Hey @hntrmrrs,

I don’t think changing ownership of the rendered template is supported by Nomad at the moment. I’m not 100% as I maintain consul-template and don’t work directly on Nomad, but consul-template just recently merged a PR with that feature (setting the user/group of the template’s destination file) and it didn’t have it before that.

Those features will eventually make it into Nomad, but that will be probably be a ways out as they’ll need to update their dependency to use the latest consul-template.

The PRs related to adding that feature in case you’re curious.

Sorry I couldn’t be of more help.

1 Like