-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement function writeToFile
in template stanza
#12095
Comments
writeToFile
in template stanza
How would that work? templating is generally done on the client side before the resulting json (?) is submitted to the server. |
Well the Fortunately this is simply a matter of updating our consul-template dependency. We're currently on 0.25.2 and the |
Oh my mistake, I mixed that up with the HCL function stuff. |
@tgross I doubt it is simply fixed by updating consul-template as that would introduce quite some security issues. Nomad often runs as root and having |
Right, we'd need to sandbox it the same as we do for |
I use template to provide ssl certs to ingress traefik. Something like this: dynamic "template" {
for_each = local.vault_certs
content {
destination = "${NOMAD_TASK_DIR}/conf/dynamic/cert-${template.value}.toml"
env = false
change_mode = "restart"
splay = "1m"
data = <<-EOH
[[tls.certificates]]
certFile = "/secrets/certs/${template.value}.crt"
keyFile = "/secrets/certs/${template.value}.key"
EOH
}
}
dynamic "template" {
for_each = local.vault_certs
content {
destination = "${NOMAD_SECRETS_DIR}/certs/${template.value}.crt"
env = false
change_mode = "restart"
splay = "1m"
data = <<-EOH
{{- with secret "secrets/traefik/certs/${template.value}" -}}
{{.Data.data.fullchain}}
{{- end -}}
EOH
}
}
dynamic "template" {
for_each = local.vault_certs
content {
destination = "${NOMAD_SECRETS_DIR}/certs/${template.value}.key"
env = false
change_mode = "restart"
splay = "1m"
data = <<-EOH
{{- with secret "secrets/traefik/certs/${template.value}" -}}
{{.Data.data.privkey}}
{{- end -}}
EOH
}
}
|
@Xerkus where do you define the I now have
But am stuck at the |
@chrisvanmeer it is still static setup that is using HCL2 locals rendered by nomad cli on job submission. I created repo with sample setup: https://github.com/Xerkus/traefik-nomad-vault-certbot |
Thanks |
Hey @schmichael, I assigned you on this one since it overlaps with the SD/CT work you're on. If that's not the case, let me know and unassign yourself! |
Resolves #12095 by WONTFIXing it. This approach disables `writeToFile` as it allows arbitrary host filesystem writes and is only a small quality of life improvement over multiple `template` stanzas.
Resolves #12095 by WONTFIXing it. This approach disables `writeToFile` as it allows arbitrary host filesystem writes and is only a small quality of life improvement over multiple `template` stanzas. This approach has the significant downside of leaving people who have altered their `template.function_denylist` *still vulnerable!* I added an upgrade note, but we should have implemented the denylist as a `map[string]bool` so that new funcs could be denied without overriding custom configurations.
Resolves #12095 by WONTFIXing it. This approach disables `writeToFile` as it allows arbitrary host filesystem writes and is only a small quality of life improvement over multiple `template` stanzas. This approach has the significant downside of leaving people who have altered their `template.function_denylist` *still vulnerable!* I added an upgrade note, but we should have implemented the denylist as a `map[string]bool` so that new funcs could be denied without overriding custom configurations. This PR also includes a bug fix that broke enabling all consul-template funcs. We repeatedly failed to differentiate between a nil (unset) denylist and an empty (allow all) one.
Resolves #12095 by WONTFIXing it. This approach disables `writeToFile` as it allows arbitrary host filesystem writes and is only a small quality of life improvement over multiple `template` stanzas. This approach has the significant downside of leaving people who have altered their `template.function_denylist` *still vulnerable!* I added an upgrade note, but we should have implemented the denylist as a `map[string]bool` so that new funcs could be denied without overriding custom configurations. This PR also includes a bug fix that broke enabling all consul-template funcs. We repeatedly failed to differentiate between a nil (unset) denylist and an empty (allow all) one.
I plan on merging #12312 which will disable For users who trust their jobspec authors and template sources completely, you can enable client {
template {
function_denylist = []
}
} I know this isn't ideal, but securing |
Resolves #12095 by WONTFIXing it. This approach disables `writeToFile` as it allows arbitrary host filesystem writes and is only a small quality of life improvement over multiple `template` stanzas. This approach has the significant downside of leaving people who have altered their `template.function_denylist` *still vulnerable!* I added an upgrade note, but we should have implemented the denylist as a `map[string]bool` so that new funcs could be denied without overriding custom configurations. This PR also includes a bug fix that broke enabling all consul-template funcs. We repeatedly failed to differentiate between a nil (unset) denylist and an empty (allow all) one.
Resolves #12095 by WONTFIXing it. This approach disables `writeToFile` as it allows arbitrary host filesystem writes and is only a small quality of life improvement over multiple `template` stanzas. This approach has the significant downside of leaving people who have altered their `template.function_denylist` *still vulnerable!* I added an upgrade note, but we should have implemented the denylist as a `map[string]bool` so that new funcs could be denied without overriding custom configurations. This PR also includes a bug fix that broke enabling all consul-template funcs. We repeatedly failed to differentiate between a nil (unset) denylist and an empty (allow all) one.
I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues. |
Proposal
Add consul-template
writeToFile
function.Use-cases
Managing directories with config files
I have a separate repository with dashboards and alerts (let's look at dashboards only):
>cat main.tf
When I run
terraform apply
dashboards appear in Consul:In Grafana I have a following provisioning config:
And finally a Nomad template stanza:
Currently task is unable to start with error:
Template failed: (dynamic): parse: template: :2: function "writeToFile" not defined
Dynamic credentials as separate files
Another usecase would be with database credentials. Instead of restarting the task as in:
Credentials can be written to a file:
And then used in Grafana config:
This way no restart is required as Grafana can reread credentials on signal, if I'm not mistaken.
File owner/permissions
And it will help with files created with wrong user/permissions.
For example now it is not possible to generate tls key pair for postgres when running postgres as non root.
Keys will be owned by root user and postgres will not be able to read them OR using
perms = 777
postgres will refuse to start withnot secure permissions on TLS keys
.This can be remedied with
{{ key "my/key/path" | writeToFile "/my/file/path.txt" "my-user" "my-group" "0644" "append,newline" }}
I hope that make sense.
The text was updated successfully, but these errors were encountered: