github.com/maier/nomad@v0.4.1-0.20161110003312-a9e3d0b8549d/website/source/docs/agent/configuration/vault.html.md

github.com/maier/nomad@v0.4.1-0.20161110003312-a9e3d0b8549d/website/source/docs/agent/configuration/vault.html.md (about)

     1  ---
     2  layout: "docs"
     3  page_title: "vault Stanza - Agent Configuration"
     4  sidebar_current: "docs-agent-configuration-vault"
     5  description: |-
     6    The "vault" stanza configures Nomad's integration with HashiCorp's Vault.
     7    When configured, Nomad can create and distribute Vault tokens to tasks
     8    automatically.
     9  ---
    10  
    11  # `vault` Stanza
    12  
    13  <table class="table table-bordered table-striped">
    14    <tr>
    15      <th width="120">Placement</th>
    16      <td>
    17        <code>**vault**</code>
    18      </td>
    19    </tr>
    20  </table>
    21  
    22  
    23  The `vault` stanza configures Nomad's integration with [HashiCorp's
    24  Vault][vault]. When configured, Nomad can create and distribute Vault tokens to
    25  tasks automatically. For more information on the architecture and setup, please
    26  see the [Nomad and Vault integration documentation][nomad-vault].
    27  
    28  ```hcl
    29  vault {
    30    enabled = true
    31    address = "https://vault.company.internal:8200"
    32  }
    33  ```
    34  
    35  ## `vault` Parameters
    36  
    37  - `address` - `(string: "https://vault.service.consul:8200")` - Specifies the
    38    address to the Vault server. This must include the protocol, host/ip, and port
    39    given in the format `protocol://host:port`. If your Vault installation is
    40    behind a load balancer, this should be the address of the load balancer.
    41  
    42  - `allow_unauthenticated` `(bool: true)` - Specifies if users submitting jobs to
    43    the Nomad server should be required to provide their own Vault token, proving
    44    they have access to the policies listed in the job. This option should be
    45    disabled in an untrusted environment.
    46  
    47  - `enabled` `(bool: false)` - Specifies if the Vault integration should be
    48    activated.
    49  
    50  - `task_token_ttl` `(string: "")` - Specifies the TTL of created tokens when
    51    using a root token. This is specified using a label suffix like "30s" or "1h".
    52  
    53  - `ca_file` `(string: "")` - Specifies an optional path to the CA
    54    certificate used for Vault communication. If unspecified, this will fallback
    55    to the default system CA bundle, which varies by OS and version.
    56  
    57  - `ca_path` `(string: "")` - Specifies an optional path to a folder
    58    containing CA certificates to be used for Vault communication. If unspecified,
    59    this will fallback to the default system CA bundle, which varies by OS and
    60    version.
    61  
    62  - `cert_file` `(string: "")` - Specifies the path to the certificate used
    63    for Vault communication. If this is set then you need to also set
    64    `tls_key_file`.
    65  
    66  - `key_file` `(string: "")` - Specifies the path to the private key used for
    67    Vault communication. If this is set then you need to also set `tls_cert_file`.
    68  
    69  - `tls_server_name` `(string: "")` - Specifies an optional string used to set
    70    the SNI host when connecting to Vault via TLS.
    71  
    72  - `tls_skip_verify` `(bool: false)` - Specifies if SSL peer validation should be
    73    enforced.
    74  
    75      !> It is **strongly discouraged** to disable SSL verification. Instead, you
    76      should install a custom CA bundle and validate against it. Disabling SSL
    77      verification can allow an attacker to easily compromise your cluster.
    78  
    79  - `token` `(string: "")` - Specifies the parent Vault token to use to derive child tokens for jobs
    80    requesting tokens.
    81    Visit the [Vault Integration](/docs/vault-integration/index.html)
    82    documentation to see how to generate an appropriate token in Vault.
    83  
    84      !> It is **strongly discouraged** to place the token as a configuration
    85      parameter like this, since the token could be checked into source control
    86      accidentally. Users should set the `VAULT_TOKEN` environment variable when
    87      starting the agent instead.
    88  
    89  
    90  ## `vault` Examples
    91  
    92  The following examples only show the `vault` stanzas. Remember that the
    93  `vault` stanza is only valid in the placements listed above.
    94  
    95  ### Custom Address
    96  
    97  This example shows using a custom Vault address:
    98  
    99  ```hcl
   100  vault {
   101    enabled = true
   102    address = "https://vault.company.internal:8200"
   103  }
   104  ```
   105  
   106  ### TLS Configuration
   107  
   108  This example shows utilizing a custom CA bundle and key to authenticate between
   109  Nomad and Vault:
   110  
   111  ```hcl
   112  vault {
   113    enabled         = true
   114    ca_path     = "/etc/certs/ca"
   115    cert_file   = "/var/certs/vault.crt"
   116    key_file    = "/var/certs/vault.key"
   117    tls_server_name = "nomad.service.consul"
   118  }
   119  ```
   120  
   121  [vault]: https://www.vaultproject.io/ "Vault by HashiCorp"
   122  [nomad-vault]: /docs/vault-integration/index.html "Nomad Vault Integration"