-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usage doc for configuring Nomad OIDC with AWS IAM #23845
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This draft LGTM!
Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
```hcl | ||
resource "aws_lb_listener" "example" { | ||
load_balancer_arn = <LB_ARN> | ||
port = "443" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Nomad agents are listening on port 4646, but I don't see how we're mapping port 443 to that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original guide doesn't make any distinction so I tried my best to convert it as is. But looking at the terraform docs, we could either use a redirect to provide a port (but looks like we'd need to list all the hosts) or use the authenticate-oidc action which seems a little too perfect for the use-case. For the oidc action, I think the config would be something like this with client_id
, and client_secret
coming from AWS and the rest from Nomad but I can't find in the docs what the endpoints would be.
authenticate_oidc {
authorization_endpoint = "https://example.com/authorization_endpoint"
client_id = "client_id"
client_secret = "client_secret"
issuer = "https://<NOMAD_CLUSTER_DOMAIN>"
token_endpoint = "https://example.com/token_endpoint"
user_info_endpoint = "https://example.com/user_info_endpoint"
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure which "original guide" you're referring to here, but I think I also assumed this had been verified end-to-end and not just ported from some other source.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the original guide from the support team, it does expect the user to have some knowledge and provides them with higher level steps with the user filling in the details. I'm trying to verify it now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, maybe we should pull in @SuyashHashiCorp to take a look at this doc as well then? If I recall correctly that guide may have also been inspired by work @schmichael did.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm really excited to see workload identity federation (WIF) documentation for another cloud provider, but I'm afraid this content probably needs to be moved to https://github.com/hashicorp/tutorials if it is intended to be complementary to our GCP WIF tutorial: https://developer.hashicorp.com/nomad/tutorials/fed-workload-identity/integration-gcp
Source for that is here https://github.com/hashicorp/tutorials/blob/main/content/tutorials/nomad/integration-gcp.mdx and the corresponding jobspecs/terraform are here: https://github.com/hashicorp-education/learn-nomad-workload-identity-federation/tree/main
proxy.nomad.hcl is what handles proxying JWKS requests from the cloud vendor to Nomad's HTTP endpoint. You should be able to use that jobspec for any deployment in the cloud or onprem. The flow in GCP is:
GCP ---https (443)---> LB ---http (80)---> Proxy ---task api (unix socket)---> Nomad API
...and I assume a similar flow works for any cloud.
If there is a desire to keep this content in docs instead of tutorials, I think we should move the GCP tutorial over here and create a subdirectory under Operations
for both. Ideally we'd add more WIF examples in the future. This all feels more like tutorials to me, but I can understand the desire and simplicity of reference docs. If we have any hard and fast rules about what makes something a tutorial vs a doc, I don't know it, so as long as we're consistent I'm ok with WIF content in either place as long as we're consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@schmichael that's totally valid. Education is working on a larger initiative to better organize tutorials and docs and we've got some ongoing plans. @boruszak or I can loop you in for better context but the gist is: there are lots of tutorials/docs that could and should be moved around and edited to better fit in their respective places.
This doc was being brought over from the support team's knowledge base to make it more visible and we did intend to shuffle it around as part of the larger edu goal when we get there. 😅
Hello Team, Thank you for your patience and collaboration on this. I’ve thoroughly tested the documentation in my lab environment, and overall, the steps are well-structured and functional. However, I encountered issues with some of the Terraform code blocks while executing the setup. I have provided detailed comments outlining the specific errors encountered and proposed the corrected Terraform configuration that resolves these issues. The updated code has been rigorously tested and is now fully functional in my environment. Kindly update the documentation with the revised Terraform code changes, review the modifications, and let me know if any additional adjustments or refinements are required. |
@SuyashHashiCorp I don't see any of your comments here in the PR. Maybe you missed submitting them as a review? |
Hey Team,
To resolve this, I removed the double quotes from the type parameter as follows:
I added an
To fix this, the correct syntax for accessing the first element in a list should be:
I corrected these issues by modifying the policy structure. Here is the working Terraform code:
Please update the documentation with these corrections. Let me know if you need any further adjustments or clarifications. Thank you!! |
Thanks @SuyashHashiCorp! I'll get your changes integrated 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Co-authored-by: Tim Gross <tgross@hashicorp.com>
Reference: JIRA ticket
Preview: Build link