Nomad: Allow secrets with arbitrary characters (including ') to be injected to env from Vault

Created on 21 Feb 2019  路  4Comments  路  Source: hashicorp/nomad

Nomad version

Nomad v0.8.5 (90fbfaba6a6d9af7febc39082b95ed832d8b8bd6)

Operating system and Environment details

Ubuntu 16.04.5 LTS
Linux 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Enhancement Request

I would like the Nomad job parser to be able to handle a secret from Vault that contains any character. Currently, I can single quote the Vault value in the Nomad job template stanza to handle most cases:

SQLSERVER_PASSWORD='[%.Data.data.SQLSERVER_PASSWORD%]'

This includes cases where the secret contains " or \ or #. However, if the secret contains ', it will not work without doing something like:

SQLSERVER_PASSWORD=[%.Data.data.SQLSERVER_PASSWORD% | toJSON]

However, this will require that the application be updated to convert escaped characters back into literals, which I would like to avoid.

themclient themconsul-template themtemplate typenhancement
Source
picture imdibiji

Most helpful comment

After re-reading _my own docs_ I realized the intended way to support this is by using the toJSON function _without_ additional quoting:

SQLSERVER_PASSWORD=[%.Data.data.SQLSERVER_PASSWOR | toJSON%]

Nomad will properly parse the JSON encoded string, decoding all escape codes to their literal form in the environment variable. So if the password is "abc#123' the above template would get written as:

SQLSERVER_PASSWORD="\"abc#123'"

Nomad would then add read the file, evaluate the escape sequences, and insert SQLSERVER_PASSWORD="abc#123' into your environment as expected!

I'm terribly sorry for the confusion. The docs are insufficient, and I'll fix them before closing.

_Update: fixed typo thanks to @imdibiji below_

picture schmichael on 21 Feb 2019
👍2 🎉1

All 4 comments

Thanks for filing! Original discussion: https://groups.google.com/d/topic/nomad-tool/lURwpsL_zWE/discussion

This will either have to be fixed in https://github.com/hashicorp/go-envparse or by dropping that library and going with a simpler env parser that iterates over lines, splits on =, and treats all characters until EOL as the value.

schmichael picture schmichael on 21 Feb 2019

After re-reading _my own docs_ I realized the intended way to support this is by using the toJSON function _without_ additional quoting:

SQLSERVER_PASSWORD=[%.Data.data.SQLSERVER_PASSWOR | toJSON%]

Nomad will properly parse the JSON encoded string, decoding all escape codes to their literal form in the environment variable. So if the password is "abc#123' the above template would get written as:

SQLSERVER_PASSWORD="\"abc#123'"

Nomad would then add read the file, evaluate the escape sequences, and insert SQLSERVER_PASSWORD="abc#123' into your environment as expected!

I'm terribly sorry for the confusion. The docs are insufficient, and I'll fix them before closing.

_Update: fixed typo thanks to @imdibiji below_

schmichael picture schmichael on 21 Feb 2019
👍2 🎉1

@schmichael That's great news, thank you for helping me understand how to get secrets from Vault into a Nomad job faithfully.

imdibiji picture imdibiji on 21 Feb 2019

@schmichael I found that I needed to do this (move the % to the end):

SQLSERVER_PASSWORD=[%.Data.data.SQLSERVER_PASSWORD | toJSON %]

Otherwise, the allocation will fail quickly with Template: (dynamic): parse: template: :12: unexpected "%" in operand

imdibiji picture imdibiji on 21 Feb 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

samber picture samber  路  3Comments
mlafeldt picture mlafeldt  路  3Comments
bdclark picture bdclark  路  3Comments
dvusboy picture dvusboy  路  3Comments
clinta picture clinta  路  3Comments