blob: 7911cbc5c4bd33d2b7044ba0d1d6452a1dfff463 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
{% if nomad_use_tls | bool == True %}
vault {
# Specifies the address to the Vault server. This must include the protocol,
# host/ip, and port given in the format protocol://host:port. If your Vault
# installation is behind a load balancer, this should be the address of the
# load balancer.
address = "{{ nomad_vault_address }}"
# Specifies if users submitting jobs to the Nomad server should be required
# to provide their own Vault token, proving they have access to the policies
# listed in the job. This option should be disabled in an untrusted
# environment.
allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }}
# Specifies if the Vault integration should be activated.
enabled = {{ nomad_vault_enabled | bool | lower }}
# Specifies the role to create tokens from. The token given to Nomad does
# not have to be created from this role but must have "update" capability
# on "auth/token/create/<create_from_role>" path in Vault. If this value is
# unset and the token is created from a role, the value is defaulted to the
# role the token is from. This is largely for backwards compatibility. It
# is recommended to set the create_from_role field if Nomad is deriving
# child tokens from a role.
create_from_role = "{{ nomad_vault_create_from_role }}"
# Specifies the TTL of created tokens when using a root token. This is
# specified using a label suffix like "30s" or "1h".
task_token_ttl = "{{ nomad_vault_task_token_ttl }}"
{% if nomad_vault_use_ssl | bool == True -%}
# Specifies an optional path to the CA certificate used for Vault
# communication. If unspecified, this will fallback to the default system
# CA bundle, which varies by OS and version.
ca_file = "{{ nomad_vault_ca_file }}"
# Specifies an optional path to a folder containing CA certificates to be
# used for Vault communication. If unspecified, this will fallback to the
# default system CA bundle, which varies by OS and version.
ca_path = "{{ nomad_vault_ca_path }}"
# Specifies the path to the certificate used for Vault communication. This
# must be set if tls_require_and_verify_client_cert is enabled in Vault.
cert_file = "{{ nomad_vault_cert_file }}"
# Specifies the path to the private key used for Vault communication. If
# this is set then you need to also set cert_file. This must be set if
# tls_require_and_verify_client_cert is enabled in Vault.
key_file = "{{ nomad_vault_key_file }}"
# Specifies the Vault namespace used by the Vault integration. If non-empty,
# this namespace will be used on all Vault API calls.
namespace = "{{ nomad_vault_namespace }}"
# Specifies an optional string used to set the SNI host when connecting to
# Vault via TLS.
tls_server_name = "{{ nomad_vault_tls_server_name }}"
# Specifies if SSL peer validation should be enforced.
tls_skip_verify = {{ nomad_vault_tls_skip_verify | bool | lower }}
{% endif %}
# Specifies the parent Vault token to use to derive child tokens for jobs
# requesting tokens. Only required on Nomad servers. Nomad client agents
# use the allocation's token when contacting Vault. Visit the Vault
# Integration Guide to see how to generate an appropriate token in Vault.
token = "{{ nomad_vault_token }}"
}
{% endif %}
|
