I am using Hashicorp Nomad to deploy a Docker image stored in a registry that requires credentials to access. According to the docs, I can use the auth object to specify the username and password, however the credentials must be in the manifest file which I do not want. For example, in Kubernetes registry credentials can be stored in a secret and used with imagePullSecrets.
How can I use the registry credentials without having to store them in the manifest itself (ie. environment variables in CI, env variable on the client, secret store such as Vault)?
If I understand correctly, you should be doing docker login individually on each Nomad agent capable of running Docker containers or copy the config.json with the auth token across each machine.
To answer the written question, though, env-vars would work, assuming the tool you're using knows what to do with the variables.
Nomad offers native Vault integration. Secrets will be placed under /local of the application, and can be sourced during runtime of the container's entrypoint script such that environment variables are available.
Alternatively, you can use templates feature of Nomad spec to write out a consul-template string to your Docker Daemon's config.json