Secret backend integration with Vault.

.travis.yml

@@ -22,27 +22,54 @@ env:
   global:
   - NOMAD_IP="127.0.0.1"
   - NOMAD_PORT="4646"
+  - VAULT_ADDR="http://127.0.0.1:8200"
+  - VAULT_TEST="true"
   matrix:
-  - NOMAD_VERSION="0.3.2"
-  - NOMAD_VERSION="0.4.1"
-  - NOMAD_VERSION="0.5.6"
-  - NOMAD_VERSION="0.6.0"
-  - NOMAD_VERSION="0.7.1"
-  - NOMAD_VERSION="0.8.1"
-  - NOMAD_VERSION="0.8.3"
-before_install:
-- curl -L -o /tmp/nomad_${NOMAD_VERSION}_linux_amd64.zip https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_amd64.zip
-- yes | unzip -d /tmp /tmp/nomad_${NOMAD_VERSION}_linux_amd64.zip
-- MAJOR_VERSION=`echo ${NOMAD_VERSION} | cut -d "." -f 2`
-- if [[ ${MAJOR_VERSION} -gt 6 ]]; then echo "Nomad version $NOMAD_VERSION supports acls";export ACL_ENABLED="--acl-enabled"; else echo "Nomad version $NOMAD_VERSION";export ACL_ENABLED="";  fi
-- /tmp/nomad agent -dev -bind ${NOMAD_IP} -node pynomad1 ${ACL_ENABLED} > /dev/null 2>&1 &
-- sleep 30
+  - NOMAD_VERSION="0.3.2";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.4.1";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.5.6";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.6.0";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.7.1";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.8.1";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.8.3";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.8.4";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.8.5";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.8.6";VAULT_VERSION="0.8.0"
+  - NOMAD_VERSION="0.3.2";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.4.1";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.5.6";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.6.0";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.7.1";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.8.1";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.8.3";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.8.4";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.8.5";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.8.6";VAULT_VERSION="0.9.0"
+  - NOMAD_VERSION="0.3.2";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.4.1";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.5.6";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.6.0";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.7.1";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.8.1";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.8.3";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.8.4";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.8.5";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.8.6";VAULT_VERSION="0.10.0"
+  - NOMAD_VERSION="0.3.2";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.4.1";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.5.6";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.6.0";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.7.1";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.8.1";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.8.3";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.8.4";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.8.5";VAULT_VERSION="0.11.4"
+  - NOMAD_VERSION="0.8.6";VAULT_VERSION="0.11.4"
 install:
 - pip install -r requirements.txt -r requirements-dev.txt
 - pip install codecov
 before_script:
-  - /tmp/nomad init
-  - /tmp/nomad run -output example.nomad > example.json
+  - sudo ./start_daemons.sh
 script:
 - py.test --cov=nomad --cov-report=term-missing --runxfail tests/
 after_success:

README.md

@@ -58,6 +58,19 @@ NOMAD_TOKEN=xxxx-xxxx-xxxx-xxxx
 NOMAD_REGION=us-east-1a
 ```
 
+## With Vault integration.
+
+Vault info [:link:](vaultintegration.md)
+
+if you have configured a [Vault Integration ](https://www.nomadproject.io/docs/configuration/vault.html) to store your secrets.
+
+And you have configured: [`allow_unantenticated = false`](https://www.nomadproject.io/docs/configuration/vault.html#allow_unauthenticated)
+see  you must to export and send a valid `VAULT_TOKEN`.
+
+```bash
+VAULT_TOKEN=xxxx-xxxx-xxxx-xxxx
+```
+
 ## Class Dunders
 
 | Class | contains | len | getitem | iter |
@@ -96,15 +109,29 @@ pip install -r requirements-dev.txt
 ```
 
 ## Testing with vagrant and virtualbox
+
+- Define versions at vagrant file
+- Execute tests
 ```
 vagrant up --provider virtualbox
-py.test --cov=nomad --cov-report=term-missing --runxfail tests/
+```
+- Destroy Vagrant
+```
+vagrant destroy
 ```
 
 ## Testing with nomad binary
 ```
-./nomad agent -dev -node pynomad1 --acl-enabled
-NOMAD_IP=127.0.0.1 NOMAD_VERSION=<SEMNATIC_VERSION> py.test --cov=nomad --cov-report=term-missing --runxfail tests/
+export NOMAD_IP=127.0.0.1
+export NOMAD_VERSION=<SEMNATIC_VERSION>
+export VAULT_VERSION=<SEMNATIC_VERSION> # should be higher than 0.6.2
+./start_daemons.sh
+py.test --cov=nomad --cov-report=term-missing --runxfail tests/
+```
+
+after make your tests, you can stop the necesary daemons with
+```
+./stop_daemons.sh
 ```
 
 - Examples

Vagrantfile

@@ -1,18 +1,25 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
 
-IP = "192.168.33.10"
-NOMAD_VERSION = "0.8.3"
-NOMAD_PORT_GUEST = 4646
-NOMAD_PORT_HOST = 4646
+NOMAD_IP="192.168.33.10"
+NOMAD_VERSION="0.8.6"
+NOMAD_PORT_GUEST=4646
+NOMAD_PORT_HOST=4646
+VAULT_VERSION="0.11.4"
+VAULT_PORT_GUEST=8200
+VAULT_PORT_HOST=8200
+VAULT_ADDR="http://127.0.0.1:8200"
+VAULT_TEST="true"
+
 
 Vagrant.configure(2) do |config|
 
 config.vm.box = "centos/7"
 
 config.vm.network "forwarded_port", guest: NOMAD_PORT_GUEST, host: NOMAD_PORT_HOST
+config.vm.network "forwarded_port", guest: VAULT_PORT_GUEST, host: VAULT_PORT_HOST
 
-config.vm.network "private_network", ip: "#{IP}"
+config.vm.network "private_network", ip: "#{NOMAD_IP}"
 
 config.vm.provider "virtualbox" do |vb|
 vb.name = "python-nomad"
@@ -22,8 +29,7 @@ end
 
 config.vm.provision "shell", inline: <<-SHELL
 
-if [ ! -e /etc/yum.repos.d/docker.repo ]
-  then
+if [ ! -e /etc/yum.repos.d/docker.repo ]; then
 tee /etc/yum.repos.d/docker.repo <<-EOF
 [dockerrepo]
 name=Docker Repository
@@ -38,22 +44,26 @@ yum -y install docker-engine unzip wget net-tools
 usermod -aG docker vagrant
 systemctl enable docker; systemctl start docker
 
-wget -q -P /tmp/ https://releases.hashicorp.com/nomad/#{NOMAD_VERSION}/nomad_#{NOMAD_VERSION}_linux_amd64.zip
-yes | unzip -d /tmp /tmp/nomad_#{NOMAD_VERSION}_linux_amd64.zip
+echo "pip for test inside the vagrant"
+curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"
+python get-pip.py
+pip install -r /vagrant/requirements-dev.txt
 
-if [ ! -f /usr/bin/nomad ]
-  then
-    cp /tmp/nomad /usr/bin/.
-fi
+cat << EOF > /tmp/environment.vars.sh
+export NOMAD_IP="#{NOMAD_IP}"
+export NOMAD_VERSION="#{NOMAD_VERSION}"
+export NOMAD_PORT_GUEST="#{NOMAD_PORT_GUEST}"
+export NOMAD_PORT_HOST="#{NOMAD_PORT_HOST}"
+export VAULT_VERSION="#{VAULT_VERSION}"
+export VAULT_ADDR="#{VAULT_ADDR}"
+export VAULT_TEST="#{VAULT_TEST}"
+EOF
+chmod +x /tmp/environment.vars.sh
+source /tmp/environment.vars.sh
+cd /vagrant
+./start_daemons.sh
 
-if [ $(pgrep nomad) ]
-  then
-    echo "Nomad running"
-  else
-    echo "Starting Nomad"
-    nohup nomad agent -dev -bind #{IP} -node pynomad1 --acl-enabled > /dev/null 2>&1 &
-    sleep 30
-fi
+py.test --cov=nomad --cov-report=term-missing --runxfail tests/
 
 SHELL
 

nomad/__init__.py

@@ -10,11 +10,12 @@ def __init__(self,
         port=4646,
         address=os.getenv('NOMAD_ADDR', None),
         namespace=os.getenv('NOMAD_NAMESPACE', None),
-        token=os.getenv('NOMAD_TOKEN', None), 
-        timeout=5, 
-        region=os.getenv('NOMAD_REGION', None), 
-        version='v1', 
-        verify=False, 
+        token=os.getenv('NOMAD_TOKEN', None),
+        vaulttoken=os.getenv('VAULT_TOKEN', None),
+        timeout=5,
+        region=os.getenv('NOMAD_REGION', None),
+        version='v1',
+        verify=False,
         cert=()):
         """ Nomad api client
 
@@ -35,6 +36,9 @@ def __init__(self,
                                 be use to deploy or to ask info to nomad.
             - token (defaults to None), Specifies to append ACL token to the headers to
                                 make authentication on secured based nomad environemnts.
+            - vaulttoken (defaults to None), Specifies to append ACL token to the job and
+                                make authentication on environemnts with allow_unantenticated = false, where
+                                you must to send a valid vault token for policies.
            returns: Nomad api client object
 
            raises:
@@ -50,6 +54,7 @@ def __init__(self,
         self.timeout = timeout
         self.version = version
         self.token = token
+        self.vaulttoken = vaulttoken
         self.verify = verify
         self.cert = cert
         self.__namespace = namespace
@@ -60,6 +65,7 @@ def __init__(self,
             "port": self.port,
             "namespace": self.__namespace,
             "token": self.token,
+            "vaulttoken": self.vaulttoken,
             "timeout": self.timeout,
             "version": self.version,
             "verify": self.verify,
@@ -103,6 +109,9 @@ def get_namespace(self):
     def get_token(self):
         return self.token
 
+    def get_vaulttoken(self):
+        return self.vaulttoken
+
     @property
     def jobs(self):
         return self._jobs

nomad/api/base.py

@@ -10,11 +10,12 @@ class Requester(object):
 
     ENDPOINT = ""
 
-    def __init__(self, address=None, uri='http://127.0.0.1', port=4646, namespace=None, token=None, timeout=5, version='v1', verify=False, cert=(), region=None, **kwargs):
+    def __init__(self, address=None, uri='http://127.0.0.1', port=4646, namespace=None, token=None, vaulttoken=None, timeout=5, version='v1', verify=False, cert=(), region=None, **kwargs):
         self.uri = uri
         self.port = port
         self.namespace = namespace
         self.token = token
+        self.vaulttoken = vaulttoken
         self.timeout = timeout
         self.version = version
         self.verify = verify
@@ -99,6 +100,12 @@ def _request(self, method, endpoint, params=None, data=None, json=None, headers=
             except TypeError:
                 headers = {"X-Nomad-Token": self.token}
 
+        if method == "post":
+            if json:
+                if self.vaulttoken:
+                    if "Job" in json:
+                        json["Job"]["VaultToken"] = self.vaulttoken
+
         response = None
 
         try: