Nomad Variables are not accessible in Job specification
I am new to Nomad and trying to figure out how can I make a use of variables in Nomad using template and I am struggling to figure out how that can be achieved.
Here is my partial job specification which uses template write variable in a ${NOMAD_SECRETS_DIR} and access it as environment variable
template {
destination = "${NOMAD_SECRETS_DIR}/env.vars"
env = true
data = <<EOH
{{ range nomadVarList "nomad/jobs@arch-team" }}
{{ . }}
{{ end }}
EOH
}
Where arch-team is the namespace in which variables are created as seen below
Here are my two variables:
Here is my job specification where I am trying to access those variables (role_id and temp_environment) in env stanza.
job "email-api" {
datacenters = ["dc1"]
node_pool = "rhel-8x"
namespace = "arch-team"
group "api" {
scaling {
min = 1
max = 10
enabled = true
}
update {
max_parallel = 3
health_check = "checks"
min_healthy_time = "10s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
auto_promote = true
canary = 1
stagger = "30s"
}
spread {
attribute = "${node.unique.id}"
}
network {
port "http"{
to = 80
}
}
service {
name = "emailhandler-api"
port = "http"
}
task "server" {
template {
destination = "${NOMAD_SECRETS_DIR}/env.vars"
env = true
data = <<EOH
{{ range nomadVarList "nomad/jobs@arch-team" }}
{{ . }}
{{ end }}
EOH
}
env {
environment = "${NOMAD_PORT_http}"
NODE_IP = "${NOMAD_IP_http}"
ASPNETCORE_ENVIRONMENT = "${temp_environment}"
HashiVaultRoleId_arch = "${role_id}"
}
driver = "docker"
config {
image = "myregistry/sr.emailhandler.webapi:0.1.22"
ports = ["http"]
force_pull = true
}
}
}
}
I exported $NOMAD_TOKEN which is really a management token… When I plan and run job, it just waits and then fails.
I just don’t know how to check what might have happened while trying to get those variables. Is there anything I need to do to read these variables? As I mentioned, I am running job using my nomad_token which is a management token.
Also if someone can tell me how to access the detailed logs of a job I submitted. I tried nomad alloc logs <allocation_id> but it only prints logs that my job writes on console. I don’t see any logs from Nomad.
I will appreciate help in this regards. I am struggling from last couple of days with this.
EDIT 1
Based on suggestion from @KamilCuk, I created workload ACL Policy that looks something like this (hcl file called jobs-variables-policy.hcl):
namespace "arch-team" {
variables {
path "*" {
capabilities = ["read"]
}
}
}
I then applied policy as follows:
nomad acl policy apply -namespace arch-team -job email-api email-api-policy ./jobs-variables-policy.hcl
I also made changed to a template which now looks something like this:
template {
destination = "${NOMAD_SECRETS_DIR}/envs.txt"
env = true
data = <<EOH
{{ range nomadVarList "nomad/jobs" }}{{ . }}{{ end }}
EOH
}
Now when I run the job, I get the following error while allocating:
Killing: Template failed to read environment variables: error parsing env template "/opt/nomad/data/alloc/fe60924e-a929-39e6-7c9d-8c3c83ec2621/server/secrets/envs.txt": error on line 1: missing =
EDIT 2
Little more progress after suggestions from @KamilCuk I made changes to a template as seen below:
template {
destination = "${NOMAD_SECRETS_DIR}/envs.txt"
env = true
data = <<EOH
{{with nomadVar "nomad/jobs@arch-team" }}
{{range $k, $v := . }}
{{ $k }}={{ $v }}
{{ end }}
{{ end }}
EOH
}
Looks like it is getting those key/value pair.. but there is a lot of whitespace around it as seen below:
Also When I refer to ${environment} in my env stanza in my task, it doesn't have that value of dev
Typically I use nomad variables like the following:
{{with nomadVar "nomad/jobs/<the_name_of_the_job>"}}
ASPNETCORE_ENVIRONMENT={{.environment}}
{{end}}
The {{.}} does not egenerate k=v format readable by env=true, but some internal Go object representation unreadable to anyone.
The nomad/jobs nomad variable directory should be accessible by any job, you can share your variables between all jobs within a namesapce there.
- Creating azurerm_postgresql_flexible_server_firewall_rule with for_each
- Hashicorp Vault ACL Policy Templating / for Vault host key signing
- HashiCorp Vault Error 403 Permission denied
- Get Managed Identity Application ID from ADF with terraform
- Passing the alias databricks provider - terraform
- Error: Iteration over non-iterable value - terraform
- Nomad .net Core 8 service and Exit Code: 134, Signal: 6
- Terraform "required_providers" block, configuration_aliases argument
- Nomad Variables are not accessible in Job specification
- unable to update terraform version
- Reference the iteration number in a Hashicorp Packer for_each loop
- how to write a condition in for_each in terraform
- terraform only name in even numbers
- Terraform does not have endtime attribute for monitor_autoscale_setting resource
- Terraform aws_eip resource getting "Error" of Value for unconfigurable attribute
- Terraform create map with certain keys dynamic
- unable to get specific version of key-value from Hashicorp Vault
- Hashicorp's Nomad template explanation
- GPG error: https://apt.releases.hashicorp.com bionic InRelease: The following signatures couldn't be verified because the public key is not available
- How to create multiple private DNS zones and then on each zone create multiple private DNS virtual link using for each loop in terraform azure
- Vault transit engine key lease duration
- Unable to add member to vault group with terraform
- The double master phenomenon
- Parsing Terraform json output
- Adding retry properties to AWS batch job in terraform
- Terraform array variable to string from vault
- How to merge a default list of Object with values from tfvars (Terraform)
- Terraform: Nested for expression with no duplicity
- The given key does not identify an element in this collection value for azure storage account primary_access_key output value
- How to create multiple storage accounts with specific container count in terraform