Skip to content

Instantly share code, notes, and snippets.

@greenbrian

greenbrian/nomad-vault.sh

Created November 10, 2018 21:02
Show Gist options
  • Save greenbrian/4987934ecf75342e6a418ba2f651311c to your computer and use it in GitHub Desktop.
Save greenbrian/4987934ecf75342e6a418ba2f651311c to your computer and use it in GitHub Desktop.
Download ZIP
Nomad + Vault agent
Raw
nomad-vault.sh
#!/usr/bin/env bash
if [ -f /mnt/ramdisk/token ]; then
exec env VAULT_TOKEN=$(vault unwrap -field=token $(jq -r '.token' /mnt/ramdisk/token)) \
/usr/local/bin/nomad agent \
-config=/etc/nomad.d \
-vault-tls-skip-verify=true
else
echo "Nomad service failed due to missing Vault token"
exit 1
fi
Raw
nomad.service
[Unit]
Description=Nomad Agent
Requires=consul-online.target
After=consul-online.target
[Service]
KillMode=process
KillSignal=SIGINT
Environment=VAULT_ADDR=http://active.vault.service.consul:8200
Environment=VAULT_SKIP_VERIFY=true
ExecStartPre=/usr/local/bin/vault agent -config /etc/vault-agent.d/vault-agent.hcl
ExecStart=/usr/bin/nomad-vault.sh
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Raw
vault-agent.hcl
exit_after_auth = true
auto_auth {
method "aws" {
mount_path = "auth/aws"
config = {
type = "iam"
role = "nomad"
}
}
sink "file" {
wrap_ttl = "5m"
config = {
path = "/mnt/ramdisk/token"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment