Using vault secrets in service tags

dbd · September 27, 2022, 3:51pm

I’m trying to configure a basic auth middleware on traefik. But I’d prefer not writing the password (even hashed) in my job file. So I’d like something like

tags = [
"traefik.http.middlewares.test-auth.basicauth.users=traefik:{{ with secret \"kv/service/traefik\" }}{{ .Data.data.api_hashed_pwd }}{{ end }}",
...

Of course, this is not working as templates are not rendered here. Using env from a template like this is not working either

job "traefik" {
  group "traefik" {
    service "traefik" {
      tags = [
        "traefik.http.middlewares.test-auth.basicauth.users=traefik:${API_HASHED_PWD}"
      ]
    }
    task "traefik" {
      template {
        data = <<-EOF
          API_HASHED_PWD={{ with secret "kv/service/traefik" }}{{ .Data.data.api_hashed_pwd }}{{ end }}
        EOF
        destination = "secrets/env"
        env = true
      }
    }
  }
}

I guess it’s expected as the env are defined only at the task level, not the group. How can we use secrets from vault in tags ?
While at it, is there a way to define env vars from vault without writing a file at all ?

jrasell · October 3, 2022, 10:54am

Hi @dbd,

I guess it’s expected as the env are defined only at the task level, not the group.

Yes; the execution order means that the service tags interpolation will occur outside of the scope of the template render. Therefore the API_HASHED_PWD is not available which results in the string literal you described.

Service blocks can be defined at either the group or task level and moving the service block into the traefik task would allow you to correctly interpolate the variable.

job "traefik" {
  group "traefik" {
    task "traefik" {
      service "traefik" {
        tags = [
          "traefik.http.middlewares.test-auth.basicauth.users=traefik:${API_HASHED_PWD}"
        ]
      }
      template {
        data = <<-EOF
          API_HASHED_PWD={{ with secret "kv/service/traefik" }}{{ .Data.data.api_hashed_pwd }}{{ end }}
        EOF
        destination = "secrets/env"
        env = true
      }
    }
  }
}

is there a way to define env vars from vault without writing a file at all ?

This is not possible currently; issue #11900 has discussion around this feature that is relevant.

Thanks,
jrasell and the Nomad team

dbd · October 3, 2022, 11:20am

Thanks for your reply. Moving the service definition at the task level is not an option in my case, as I’m using the Consul service mesh.
For now, I define my traefik middlewares in a file, through a template stanza (in which I can use {{ with secret }}), and then only reference the existing middlewares in tags, like

tags = [
"traefik.http.routers.metrics.middlewares=ip-trusted@file,basicauth-prometheus@file"
]

The nice thing with this, is I can push new basic auth middlewares just by writing new secrets in vault kv secrets, template being like

http:
  middlewares:
{{ range secrets "kv/service/traefik/basicauth/" }}
    basicauth-{{ . }}:
      basicAuth:
        users:{{ with secret (printf "kv/data/service/traefik/basicauth/%s" .) }}{{ range $k, $v := .Data.data }}
          - {{ $k }}:{{ $v }}{{ end }}
{{ end }}{{ end }}

So I can just use

vault kv put kv/service/traefik/basicauth/myapp user="$(echo -n 'p@ssw0rd' | htpasswd -Bin user | head -1 | cut -d: -f2)"

And the basicauth-myapp@file middlewares is ready to be used.