HashiCorp Nomad Adds SSO Support and Dynamic Metadata

MMS Founder
MMS Matt Campbell

Article originally posted on InfoQ. Visit InfoQ

HashiCorp has released version 1.5 of Nomad, currently in beta. Nomad is their orchestrator platform for deploying and managing both containerized and non-containerized environments. This release adds single sign-on and OIDC support as well as dynamic node metadata, job templates, and UI improvements.

With this release, it is now possible to sign into Nomad via single sign-on (SSO). Any OIDC-compliant identity provider (IDP) can be used. At the time of writing, this includes Okta, Auth0, Amazon Cognito, Google Identity Platform, Azure Active Directory, and HashiCorp Vault. This improves upon previous releases where ACL tokens were used to control permissions. The distribution and management of these tokens were left up to Nomad administrators.

This improvement also includes a new nomad login CLI command. This command can be used to exchange the provided third-party credentials with the requested authentication method to receive a Nomad ACL token. For example, logging in via an OIDC provider can be done as follows:

nomad login -type=OIDC -method=auth0

This release also improves setting and updating metadata on Nomad client nodes. Metadata can be configured on client nodes to help with scheduling decisions. For example, the spread block can be used to specify the node attribute that allocations should be spread over. Metadata can be used here to help specify which racks to place the allocations:

spread {
  attribute = "${meta.rack}"
  target "r1" {
    percent = 60
  }
  target "r2" {
    percent = 40
  }
}

It is now possible to dynamically update and create metadata without having to restart the client. This can be done by the API, UI, or CLI. Updating via the CLI can be done as follows:

nomad node meta apply -node-id aws-t2-622 inodes=127126 custom-key=val

Mike Nomitch, Senior Product Manager at HashiCorp, notes that this feature can be useful in situations such as

Conditional scheduling based on changes to node-level dependencies, customized node health or resource checks, and scheduling in response to batch jobs that change the configuration of their client node.

A new Unix domain socket (UDS) has been added to simplify how Nomad tasks communicate with Nomad. The socket is mounted at ${NOMAD_SECRETS_DIR}/api.sock and requests to it require authentication. Tasks that can make use of the socket include autoscaling controllers, custom operator tasks, and modifying metadata.

New job templates have been included in this release. Designed to help new Nomad users get up to speed they cover use cases such as a simple service job, batch jobs, service discovery, and Nomad variables. The templates are available from the UI and the CLI.

This release also introduces a number of UI improvements including a new page where administrators can view, create, and update Nomad ACL policies. Additionally, task events are now shown in the logs sidebar. This can facilitate debugging as task failure information will be located here.

More details on the release can be found on the HashiCorp blog. Questions and feedback can be taken to the Nomad Community Forums or the community office hours. The open-source version of Nomad is available free for download.

About the Author

Subscribe for MMS Newsletter

By signing up, you will receive updates about our latest information.

  • This field is for validation purposes and should be left unchanged.