Chained/nested templates

[Himura2la]

Use-cases

We are working on a configs/secrets convention in the Nomad+Consul+Vault stack, and we would like to have the following features:

• Hot reload for config (don't store production configs in the repo/image).
• Store secrets separate from config values (in Vault).
• Don't store each config value separately, as there are too many config values.
• Don't put full config into Vault.

Attempted Solutions

We found that the ideal solution would be a nested template. We'd like to store the config template in Consul K/V, like this:

{
  "foo": "bar",
  "secret" : "{{with secret "secret/data/nomad/nested-template-test-secrets"}}{{.Data.data.secret}}{{end}}"
}

Fetch it from Consul and use as a template again to resolve Vaulted values, like this:

job "nested-template-test" {
  datacenters = ["dc"]
  group "nested-template-test" {
    task "nested-template-test" {
      driver = "docker"
      config {
        image = "alpine"
        interactive = true
      }

      template {
        data = <<-EOF
          {{key "nested-template-test-config"}}
        EOF
        destination = "local/from-consul.json.tmpl"
      }
      template {
        source = "local/from-consul.json.tmpl"
        destination = "secrets/from-vault.json"
      }

    }
  }
}

Proposal

Unfortunately, this does not work, looks like Nomad checks all template sources before starting to execute templates.

 template: failed to read template: exit status 1: failed to open source file "/nested-template-test/local/from-consul.json.tmpl": open /nested-template-test/local/from-consul.json.tmpl: no such file or directory 

Maybe someone have something else to propose, which may suite our needs...

[tgross]

Hi @Himura2la! You're right this isn't currently possible. This would be a feature that would need to be added to consul-template, so I'll move this issue there.