Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkiCert does not properly save certificates across multiple templates #24803

Open
remilapeyre opened this issue Jan 7, 2025 · 2 comments
Open

pkiCert does not properly save certificates across multiple templates #24803

remilapeyre opened this issue Jan 7, 2025 · 2 comments
Labels
stage/needs-investigation theme/docs Documentation issues and enhancements type/bug

Comments

@remilapeyre
Copy link
Contributor

Nomad version

v1.9.3

Issue

The information at

nomad/website/content/docs/job-specification/template.mdx

Lines 672 to 710 in 2eb2b6c

#### As individual files
For templates, all dependencies are mapped into a single list. This means that
multiple templates watching the same path return the same data.
```hcl
template {
data = <<EOH
{{ with pkiCert "pki/issue/foo" "common_name=foo.service.consul" "ip_sans=127.0.0.1" }}
{{- .Cert -}}
{{ end }}
EOH
destination = "${NOMAD_SECRETS_DIR}/certificate.crt"
change_mode = "restart"
}
template {
data = <<EOH
{{ with pkiCert "pki/issue/foo" "common_name=foo.service.consul" "ip_sans=127.0.0.1" }}
{{- .CA -}}
{{ end }}
EOH
destination = "${NOMAD_SECRETS_DIR}/ca.crt"
change_mode = "restart"
}
template {
data = <<EOH
{{ with pkiCert "pki/issue/foo" "common_name=foo.service.consul" "ip_sans=127.0.0.1" }}
{{- .Key -}}
{{ end }}
EOH
destination = "${NOMAD_SECRETS_DIR}/private_key.key"
change_mode = "restart"
}
```
These are three different input templates, but when run under the Nomad job,
they are compressed into a single call, sharing the resulting data.
is wrong, pkiCert does not save the certificates and all three templates make a call to Vault, which means that the certificate and the private key will not match.

This part of the documentation as been changed in 1eb1dbf#diff-2e97a76f1d2de1fec74a5033b6be6625127e85de0c991ce328535bd384659807L654. Previously the example used the secret function which does save its result across invocations so the text was correct.

The change to this part of the documentation should be rollbacked for now and caching support could be added to pkiCert in a second time.
@pkazmierczak
Copy link
Contributor

Hey @remilapeyre, thanks for reporting the issue. @aimeeu, can you have a look at this?

@pkazmierczak pkazmierczak moved this from Needs Triage to Triaging in Nomad - Community Issues Triage Jan 8, 2025
@pkazmierczak pkazmierczak added the theme/docs Documentation issues and enhancements label Jan 8, 2025
@aimeeu aimeeu self-assigned this Jan 8, 2025
@pkazmierczak pkazmierczak self-assigned this Jan 8, 2025
@pkazmierczak
Copy link
Contributor

ok @remilapeyre, I looked into this and indeed 3 calls are being made and the certificates do not match. At this point I still can't say if this is a mistake in the documentation or if it's a bug in our template engine. I'll put this on our board, thanks again for reporting.

@pkazmierczak pkazmierczak moved this from Triaging to Needs Roadmapping in Nomad - Community Issues Triage Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stage/needs-investigation theme/docs Documentation issues and enhancements type/bug
Projects
Nomad - Community Issues Triage
Status: Needs Roadmapping
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pkazmierczak @aimeeu @remilapeyre