Using consul/vault key in nomad service check?

qubidt · January 28, 2022, 4:36pm

I am running a service with nomad that has its only viable healthcheck endpoint requiring authorization. You can pass in the token via URL parameter or HTTP header. Configuring either one works in the nomad config, but I’d like to have that key be retrieved from consul/vault (I don’t have vault setup on my dev environment atm).

i.e. I’d like to do something like the following:

      check {
        name = "http-health"
        type = "http"
        port = "http"
        # path = "/api/v1/status?token=bbd7d0d4-688b-4cd3-ac05-6bf2b2a67542"
        path = "/api/v1/status"
        interval = "5s"
        timeout = "5s"
        failures_before_critical = 5
        header {
          # X-Auth-Token = [ "bbd7d0d4-688b-4cd3-ac05-6bf2b2a67542" ]
          X-Auth-Token = [ "{{ key \"blah/token\" }}" ]
        }
      }

Is there any way of achieving this without rendering the nomad config using levant?

foozmeat · January 28, 2022, 5:26pm

I believe the only opportunity you have for templating in Vault data is inside of template blocks. Personally I switched over to a workflow that involves levant and I don’t regret it. It’s made some other problems much easier to solve.

qubidt · January 28, 2022, 11:49pm

That’s what I was thinking, yeah. I was migrating away from an over-complicated levant setup, but it seems I might have to introduce it back in some parts. The other downside is I don’t get the nice integration between nomad and consul that automatically restarts your jobs. Ah well

foozmeat · January 31, 2022, 5:45pm

I don’t think you have to give up the consul service checks and nomad restarts. Maybe describe your setup a bit more?

foozmeat · January 31, 2022, 5:46pm

Perhaps I misunderstood you. Are you saying the downside of giving up levant is losing templating in service checks?

qubidt · January 31, 2022, 7:42pm

Am I misunderstanding this? I want to retrieve auth token used the the service check header/path from consul-kv/vault, rather than having it hard-coded in the nomad .hcl file. I can template it with levant, which works w/ retrieving the key from consul but you don’t gain the functionality in nomad where changes in the consul-KV store update the corresponding nomad job (you have to rerun the levant template manually).

Are any of these assumptions wrong?

foozmeat · January 31, 2022, 8:13pm

You’re correct, I misunderstood the problem you were describing. Apologies.