Using consul/vault key in nomad service check?

I am running a service with nomad that has its only viable healthcheck endpoint requiring authorization. You can pass in the token via URL parameter or HTTP header. Configuring either one works in the nomad config, but I’d like to have that key be retrieved from consul/vault (I don’t have vault setup on my dev environment atm).

i.e. I’d like to do something like the following:

      check {
        name = "http-health"
        type = "http"
        port = "http"
        # path = "/api/v1/status?token=bbd7d0d4-688b-4cd3-ac05-6bf2b2a67542"
        path = "/api/v1/status"
        interval = "5s"
        timeout = "5s"
        failures_before_critical = 5
        header {
          # X-Auth-Token = [ "bbd7d0d4-688b-4cd3-ac05-6bf2b2a67542" ]
          X-Auth-Token = [ "{{ key \"blah/token\" }}" ]

Is there any way of achieving this without rendering the nomad config using levant?

I believe the only opportunity you have for templating in Vault data is inside of template blocks. Personally I switched over to a workflow that involves levant and I don’t regret it. It’s made some other problems much easier to solve.

1 Like

That’s what I was thinking, yeah. I was migrating away from an over-complicated levant setup, but it seems I might have to introduce it back in some parts. The other downside is I don’t get the nice integration between nomad and consul that automatically restarts your jobs. Ah well

I don’t think you have to give up the consul service checks and nomad restarts. Maybe describe your setup a bit more?

Perhaps I misunderstood you. Are you saying the downside of giving up levant is losing templating in service checks?

Am I misunderstanding this? I want to retrieve auth token used the the service check header/path from consul-kv/vault, rather than having it hard-coded in the nomad .hcl file. I can template it with levant, which works w/ retrieving the key from consul but you don’t gain the functionality in nomad where changes in the consul-KV store update the corresponding nomad job (you have to rerun the levant template manually).

Are any of these assumptions wrong?

You’re correct, I misunderstood the problem you were describing. Apologies.

1 Like