upgrade NOMAD_TOKEN to a runtime podman secret (only optional conveni…

…ence after bootstrapping that can be removed if desired)
internetarchive · Mar 13, 2024 · a099662 · a099662
1 parent c1eabb3
commit a099662
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 22 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -17,7 +17,6 @@ ENV TZ Etc/UTC
 ENV TERM xterm
 ENV ARCH "dpkg --print-architecture"
 
-ENV CONFIG     /etc/hind
 ENV NOMAD_HCL  /etc/nomad.d/nomad.hcl
 ENV CONSUL_HCL /etc/consul.d/consul.hcl
 ENV KEY_HASHI  /usr/share/keyrings/hashicorp-archive-keyring.gpg

diff --git a/README.md b/README.md
@@ -87,8 +87,8 @@ that you have downloaded `nomad` binary (include home mac/laptop etc.)
 
 From a shell on your VM:
 ```bash
-eval $(sudo podman run --rm hind cat /etc/hind)
-env |egrep ^NOMAD_
+export NOMAD_ADDR=https://$(hostname -f)
+export NOMAD_TOKEN=$(podman run --rm --secret NOMAD_TOKEN,type=env hind sh -c 'echo $NOMAD_TOKEN')
 ```
 Then, `nomad status` should work.
 ([Download `nomad` binary](https://www.nomadproject.io/downloads) to VM or home dir if/as needed).

diff --git a/bin/bootstrap.sh b/bin/bootstrap.sh
@@ -29,12 +29,10 @@ fi
 )
 
 
-
 # fire up daemons
 /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
 
 
-
 if [ ! $FIRST ]; then
 
   touch /tmp/bootstrap
@@ -54,10 +52,10 @@ if [ ! $FIRST ]; then
   consul keygen | tr -d ^ | podman secret create HIND_C -
   nomad operator gossip keyring generate | tr -d ^ | podman secret create HIND_N -
 
-  echo export NOMAD_TOKEN=$(fgrep 'Secret ID' /tmp/bootstrap |cut -f2- -d= |tr -d ' ') > $CONFIG
-  rm -f /tmp/bootstrap
+  export   NOMAD_TOKEN=$(fgrep 'Secret ID' /tmp/bootstrap |cut -f2- -d= |tr -d ' ')
+  echo -n $NOMAD_TOKEN | podman secret create NOMAD_TOKEN -
 
-  source $CONFIG
+  rm -f /tmp/bootstrap
 
 else
 
@@ -69,22 +67,9 @@ else
     [ "$?" = "0" ] && break
   done
 
-  touch $CONFIG
-
-fi
-
-
-if [ $HOST_UNAME = Darwin ]; then
-  echo "export NOMAD_ADDR=http://$FQDN:6000" >> $CONFIG
-else
-  echo "export NOMAD_ADDR=https://$FQDN"     >> $CONFIG
 fi
 
 
-chmod 400 $CONFIG
-
-
-
 if [ $NFSHOME ]; then
   echo '
 client {

diff --git a/install.sh b/install.sh
@@ -57,7 +57,14 @@ if [ ! $FIRST ]; then
   (inside or outside the running container or from a home machine --
   anywhere you have downloaded a `nomad` binary):
     '
-  podman run --rm hind sh -c 'cat $CONFIG'
+
+  if [ $HOST_UNAME = Darwin ]; then
+    echo "export NOMAD_ADDR=http://$FQDN:6000"
+  else
+    echo "export NOMAD_ADDR=https://$FQDN"
+  fi
+
+  podman run --rm --secret NOMAD_TOKEN,type=env hind sh -c 'echo export NOMAD_TOKEN=$NOMAD_TOKEN'
 else
   echo '