Feature/workload identity

README.md

@@ -222,6 +222,11 @@ The role defines most of its variables in `defaults/main.yml`:
 - Deployment garbage collection threshold
 - Default value: **1h**
 
+### `nomad_batch_eval_gc_threshold`
+
+- Batch job garbage collection threshold
+- Default value: **24h**
+
 ### `nomad_encrypt_enable`
 
 - Enable Gossip Encryption even if `nomad_encrypt` is not set
@@ -632,6 +637,41 @@ in many Ansible versions, so this feature might not always work.
 - Vault namespace used by nomad
 - Default value: **""**
 
+### `nomad_vault_identity_enabled`
+
+- Vault identity enabled will be used by nomad. Mandatory since 1.10. Will only be installed on servers.
+- Default value: **true**
+
+### `nomad_vault_identity_auth_method`
+
+- Vault identity auth method used by nomad. Will only be installed on servers.
+- Default value: **jwt**
+
+### `nomad_vault_identity_auth_path`
+
+- Vault identity auth path used by nomad. Will only be installed on servers.
+- Default value: **jwt-auth**
+
+### `nomad_vault_identity_auth_default_aud`
+
+- Vault identity auth aud used by nomad. Will only be installed on servers.
+- Default value: **nomad.staging.4flow-software.com**
+
+### `nomad_vault_identity_auth_default_ttl`
+
+- Vault identity auth default ttl used by nomad. Will only be installed on servers.
+- Default value: **1h**
+
+### `nomad_vault_identity_auth_default_env`
+
+- Specify whether the identity JWT may be include in job environment. Will only be installed on servers.
+- Default value: **false**
+
+### `nomad_vault_identity_auth_default_file`
+
+- Specify whether the identity JWT may be include in job as file. Will only be installed on servers.
+- Default value: **false**
+
 ### `nomad_docker_enable`
 
 - Enable docker

defaults/main.yml

@@ -101,6 +101,7 @@ nomad_node_gc_threshold: 24h
 nomad_job_gc_threshold: 4h
 nomad_eval_gc_threshold: 1h
 nomad_deployment_gc_threshold: 1h
+nomad_batch_eval_gc_threshold: 24h
 nomad_encrypt_enable: "{{ lookup('env', 'NOMAD_ENCRYPT_ENABLE') | default('false', true) }}"
 nomad_raft_protocol: 2
 nomad_raft_multiplier: 1
@@ -179,6 +180,14 @@ nomad_vault_tls_skip_verify: false
 nomad_vault_token: ""
 nomad_vault_namespace: ""
 
+nomad_vault_identity_enabled: true
+nomad_vault_identity_auth_method: "jwt"
+nomad_vault_identity_auth_path: "jwt"
+nomad_vault_identity_auth_default_aud: ""
+nomad_vault_identity_auth_default_ttl: "1h"
+nomad_vault_identity_auth_default_env: false
+nomad_vault_identity_auth_default_file: false
+
 ### Docker
 nomad_docker_enable: "{{ lookup('env', 'NOMAD_DOCKER_ENABLE') | default('false', true) }}"
 nomad_docker_dmsetup: true

molecule/_shared/Dockerfile.j2

@@ -16,9 +16,9 @@ ENV {{ var }} {{ value }}
 
 RUN if [ $(command -v apt-get) ]; then \
         if grep -q "Debian GNU/Linux 10" /etc/os-release; then \
-            apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt-common && apt-get clean; \
+            apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt python-apt-common && apt-get clean; \
         elif grep -q "Debian GNU/Linux 11" /etc/os-release; then \
-            apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python-apt-common && apt-get clean; \
+            apt-get update && apt-get install -y systemd python sudo bash ca-certificates iproute2 python3-apt python-apt-common && apt-get clean; \
         else \
             apt-get update && apt-get install -y systemd python3 sudo bash ca-certificates iproute2 python3-apt && apt-get clean; \
         fi \

tasks/install.yml

@@ -1,17 +1,36 @@
 ---
 # File: install.yml - package installation tasks for Nomad  # noqa 106
 
+- name: Gather the OS packages
+  ansible.builtin.package_facts:
+    manager: auto
+  tags: installation
+
+- name: Initialize a fact with the OS packages to install
+  ansible.builtin.set_fact:
+    nomad_os_packages_fact: []
+  tags: installation
+
+- name: Set a fact with the OS packages to really install
+  ansible.builtin.set_fact:
+    nomad_os_packages_fact: "{{ nomad_os_packages_fact + [item] }}"
+  with_items: "{{ nomad_os_packages }}"
+  tags: installation
+  when:
+    - item.handle is not defined or item.handle != 'skip'
+    - item.conflicts is not defined or item.conflicts not in ansible_facts.packages
+
 - name: Install OS packages
   ansible.builtin.package:
-    name: "{{ item }}"
+    name: "{{ item.name }}"
     state: present
-  with_items: "{{ nomad_os_packages }}"
+  with_items: "{{ nomad_os_packages_fact }}"
   tags: installation
   when: not ansible_facts['os_family'] == "VMware Photon OS"
 
 - name: Install OS packages # noqa no-changed-when
-  ansible.builtin.command: tdnf install {{ item }}
-  with_items: "{{ nomad_os_packages }}"
+  ansible.builtin.command: tdnf install {{ item.name }}
+  with_items: "{{ nomad_os_packages_fact }}"
   tags: installation
   when: ansible_facts['os_family'] == "VMware Photon OS"
 

templates/base.hcl.j2

@@ -73,19 +73,30 @@ acl {
 vault {
     enabled = {{ nomad_vault_enabled | bool | lower }}
     address = "{{ nomad_vault_address }}"
-    allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }}
-    create_from_role = "{{ nomad_vault_create_from_role }}"
-    task_token_ttl = "{{ nomad_vault_task_token_ttl }}"
     ca_file = "{{ nomad_vault_ca_file }}"
     ca_path = "{{ nomad_vault_ca_path }}"
     cert_file = "{{ nomad_vault_cert_file }}"
     key_file = "{{ nomad_vault_key_file }}"
+    create_from_role = "{{ nomad_vault_create_from_role }}"
     tls_server_name = "{{ nomad_vault_tls_server_name }}"
     tls_skip_verify = {{ nomad_vault_tls_skip_verify | bool | lower }}
+    namespace = "{{ nomad_vault_namespace }}"
 {%if nomad_node_role != 'client' %}
+{% if not nomad_vault_identity_enabled %}
+    allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }}
+    task_token_ttl = "{{ nomad_vault_task_token_ttl }}"
     token = "{{ nomad_vault_token }}"
+{% else %}
+    auth_method = "{{ nomad_vault_identity_auth_method }}"
+    auth_path = "{{ nomad_vault_identity_auth_path }}"
+    default_identity {
+      aud = ["{{ nomad_vault_identity_auth_default_aud }}"]
+      ttl = "{{ nomad_vault_identity_auth_default_ttl }}"
+      env  = "{{ nomad_vault_identity_auth_default_env | bool | lower }}"
+      file = "{{ nomad_vault_identity_auth_default_file | bool | lower }}"
+  }
+{% endif %}
 {% endif %}
-    namespace = "{{ nomad_vault_namespace }}"
 }
 
 {% if nomad_telemetry | default(False) | bool == True %}

templates/server.hcl.j2

@@ -40,6 +40,7 @@ authoritative_region = "{{ nomad_authoritative_region }}"
     eval_gc_threshold = "{{ nomad_eval_gc_threshold }}"
     job_gc_threshold = "{{ nomad_job_gc_threshold }}"
     deployment_gc_threshold = "{{ nomad_deployment_gc_threshold }}"
+    batch_eval_gc_threshold = "{{ nomad_batch_eval_gc_threshold }}"
 
     encrypt = "{{ nomad_encrypt | default('') }}"
 

vars/Archlinux.yml

@@ -2,6 +2,6 @@
 # File: Archlinux.yml - Archlinux variables for Nomad
 
 nomad_os_packages:
-  - unzip
+  - name: unzip
 
 nomad_syslog_enable: false

vars/Debian.yml

@@ -2,10 +2,10 @@
 # File: vars/Debian.yml - Debian OS variables for Nomad
 
 nomad_os_packages:
-  - curl
-  - git
-  - "{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('22.10', '<')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('12', '<')) %}libcgroup1{% else %}libcgroup2{% endif %}"
-  - unzip
-  - "{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19', '<')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '<')) %}cgroup-bin{% else %}cgroup-tools{% endif %}"
+  - name: curl
+  - name: git
+  - name: "{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('22.10', '<'))
+                or (ansible_distribution == 'Debian' and ansible_distribution_version is version('12', '<')) %}libcgroup1{% else %}libcgroup2{% endif %}"
+  - name: unzip
+  - name: "{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19', '<'))
+                or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '<')) %}cgroup-bin{% else %}cgroup-tools{% endif %}"

vars/RedHat.yml

@@ -2,9 +2,12 @@
 # File: vars/RedHat.yml - Red Hat OS variables for Nomad
 
 nomad_os_packages:
-  - "{% if (ansible_distribution == 'AlmaLinux' and ansible_distribution_version is version('9', '>=')) %}curl-minimal{% else %}curl{% endif %}"
-  - git
-  - "{% if (ansible_distribution == 'Fedora' and ansible_distribution_version is version('28', '<')) or (ansible_distribution == 'CentOS' and ansible_distribution_version
-    is version('8', '<')) or (ansible_distribution == 'Amazon' and ansible_distribution_version is version('3', '<')) or (ansible_distribution == 'OracleLinux' and
-    ansible_distribution_version is version('8', '<')) %}libselinux-python{% else %}python3-libselinux{% endif %}"
-  - unzip
+  - name: curl
+    conflicts: curl-minimal
+    handle: skip
+  - name: git
+  - name: "{% if (ansible_distribution == 'Fedora' and ansible_distribution_version is version('28', '<'))
+                or (ansible_distribution == 'CentOS' and ansible_distribution_version is version('8', '<'))
+                or (ansible_distribution == 'Amazon' and ansible_distribution_version is version('3', '<'))
+                or (ansible_distribution == 'OracleLinux' and ansible_distribution_version is version('8', '<')) %}libselinux-python{% else %}python3-libselinux{% endif %}"
+  - name: unzip

vars/VMware Photon OS.yml

@@ -1,3 +1,3 @@
 ---
 nomad_os_packages:
-  - unzip
+  - name: unzip