1 {% if nomad_use_tls | bool == True %}
3 # Specifies the address to the Vault server. This must include the protocol,
4 # host/ip, and port given in the format protocol://host:port. If your Vault
5 # installation is behind a load balancer, this should be the address of the
7 address = "{{ nomad_vault_address }}"
9 # Specifies if users submitting jobs to the Nomad server should be required
10 # to provide their own Vault token, proving they have access to the policies
11 # listed in the job. This option should be disabled in an untrusted
13 allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }}
15 # Specifies if the Vault integration should be activated.
16 enabled = {{ nomad_vault_enabled | bool | lower }}
18 # Specifies the role to create tokens from. The token given to Nomad does
19 # not have to be created from this role but must have "update" capability
20 # on "auth/token/create/<create_from_role>" path in Vault. If this value is
21 # unset and the token is created from a role, the value is defaulted to the
22 # role the token is from. This is largely for backwards compatibility. It
23 # is recommended to set the create_from_role field if Nomad is deriving
24 # child tokens from a role.
25 create_from_role = "{{ nomad_vault_create_from_role }}"
27 # Specifies the TTL of created tokens when using a root token. This is
28 # specified using a label suffix like "30s" or "1h".
29 task_token_ttl = "{{ nomad_vault_task_token_ttl }}"
31 {% if nomad_vault_use_ssl | bool == True -%}
32 # Specifies an optional path to the CA certificate used for Vault
33 # communication. If unspecified, this will fallback to the default system
34 # CA bundle, which varies by OS and version.
35 ca_file = "{{ nomad_vault_ca_file }}"
37 # Specifies an optional path to a folder containing CA certificates to be
38 # used for Vault communication. If unspecified, this will fallback to the
39 # default system CA bundle, which varies by OS and version.
40 ca_path = "{{ nomad_vault_ca_path }}"
42 # Specifies the path to the certificate used for Vault communication. This
43 # must be set if tls_require_and_verify_client_cert is enabled in Vault.
44 cert_file = "{{ nomad_vault_cert_file }}"
46 # Specifies the path to the private key used for Vault communication. If
47 # this is set then you need to also set cert_file. This must be set if
48 # tls_require_and_verify_client_cert is enabled in Vault.
49 key_file = "{{ nomad_vault_key_file }}"
51 # Specifies the Vault namespace used by the Vault integration. If non-empty,
52 # this namespace will be used on all Vault API calls.
53 namespace = "{{ nomad_vault_namespace }}"
55 # Specifies an optional string used to set the SNI host when connecting to
57 tls_server_name = "{{ nomad_vault_tls_server_name }}"
59 # Specifies if SSL peer validation should be enforced.
60 tls_skip_verify = {{ nomad_vault_tls_skip_verify | bool | lower }}
63 # Specifies the parent Vault token to use to derive child tokens for jobs
64 # requesting tokens. Only required on Nomad servers. Nomad client agents
65 # use the allocation's token when contacting Vault. Visit the Vault
66 # Integration Guide to see how to generate an appropriate token in Vault.
67 token = "{{ nomad_vault_token }}"