Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose static_secret_render_interval from consul-template #17423

Open
the-maldridge opened this issue Jun 4, 2023 · 1 comment
Open

Expose static_secret_render_interval from consul-template #17423

the-maldridge opened this issue Jun 4, 2023 · 1 comment
Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. stage/waiting-on-upstream This issue is waiting on an upstream PR review theme/consul-template type/enhancement

Comments

@the-maldridge
Copy link

Proposal

Nomad leverages consul-template, which results in a great ability to pull secrets out of vault. Unfortunately, there are some limitations when doing this with Consul KVv2. To work around a limitation in vault, I'd like to be able to specify the static_secret_render_interval token per template in order to define a maximum level of staleness that I can accept for static secrets. For context, please see hashicorp/vault#6274.

Use-cases

Void Linux stores TLS certificates from LetsEncrypt in vault, and when these certificates are renewed, nomad doesn't re-render the templates to update the keys/certs that nginx has access to.

Attempted Solutions

Asking the vault folks first to see if there's something I can do to work around this. Otherwise I now have google calendar entries to remind me to go restart certain nomad jobs every 2 months.
@the-maldridge the-maldridge mentioned this issue Jun 4, 2023
Open
@shoenig
Copy link
Contributor

shoenig commented Jun 8, 2023

Hi @the-maldridge static_secret_render_intervalconfiguration is a part of vault, so we would first need to plumb something similar into consul-template, which is the library Nomad uses for rendering templates. I think hashicorp/consul-template#1646 is kind of asking for the same thing.

@tgross tgross added the stage/waiting-on-upstream This issue is waiting on an upstream PR review label Jun 20, 2023
@tgross tgross added the stage/accepted Confirmed, and intend to work on. No timeline committment though. label Jun 20, 2023
@tgross tgross moved this to Needs Roadmapping in Nomad - Community Issues Triage Jun 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stage/accepted Confirmed, and intend to work on. No timeline committment though. stage/waiting-on-upstream This issue is waiting on an upstream PR review theme/consul-template type/enhancement
Projects
Nomad - Community Issues Triage
Status: Needs Roadmapping
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shoenig @tgross @the-maldridge