[nomad-step-5] S5.3 — nomad/jobs/vault-runner.hcl (parameterized batch dispatch) #990

New issue

Closed

opened 2026-04-18 06:42:29 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-18 06:42:29 +00:00

Collaborator

Part of the Nomad+Vault migration. Step 5 — Edge + staging + chat + vault-runner dispatch.

Goal

Add nomad/jobs/vault-runner.hcl — the parameterized batch job that replaces docker run --rm vault-runner-${action_id}. This is the key Nomad win: short-lived jobs with scoped Vault secrets, dispatched by the edge dispatcher.

Scope

Create nomad/jobs/vault-runner.hcl:

job "vault-runner", type = "batch".
parameterized { meta_required = ["action_id", "secrets_csv"] }.
Image: disinto/agents:local (same agent image, different entrypoint).
Entrypoint override: runs the formula specified by action_id.
Dynamic Vault template: reads secrets_csv meta, renders only the declared secrets. For each secret name in the CSV: {{ with secret "kv/data/disinto/runner/<NAME>" }}{{ .Data.data.value }}{{ end }}.
- Note: Nomad templates can't iterate over runtime meta dynamically. Two approaches:
  - A: Pre-define templates for each possible secret (6 total: GITHUB_TOKEN, CODEBERG_TOKEN, etc.) with error_on_missing_key = false. All render; unused ones are empty.
  - B: Dispatcher constructs an env-file and passes it as a meta payload.
- Prefer A — simpler, no payload size limits, policies enforce access anyway.
Vault policies: attached per-dispatch via the dispatcher setting vault { policies = [...] } based on the action TOML's secrets=[...].
resources { cpu = 500, memory = 1024 } — formula execution headroom.
Cleanup: Nomad garbage-collects completed batch jobs automatically.

Acceptance criteria

nomad job validate nomad/jobs/vault-runner.hcl clean.
nomad job dispatch -meta action_id=test -meta secrets_csv=GITHUB_TOKEN vault-runner creates a dispatch alloc that can read kv/disinto/runner/GITHUB_TOKEN (with a fixture value seeded).
Dispatch alloc runs and exits (exit 0 for a no-op formula).
nomad job status vault-runner shows the dispatch as completed.

Non-goals

No dispatcher integration (S5.4 wires dispatcher.sh to call nomad job dispatch).
No PR-approval flow change (stays in Forgejo, unchanged).

Labels / meta

[nomad-step-5] S5.3 — no dependencies.

Part of the Nomad+Vault migration. **Step 5 — Edge + staging + chat + vault-runner dispatch.** ## Goal Add `nomad/jobs/vault-runner.hcl` — the parameterized batch job that replaces `docker run --rm vault-runner-${action_id}`. This is the key Nomad win: short-lived jobs with scoped Vault secrets, dispatched by the edge dispatcher. ## Scope Create `nomad/jobs/vault-runner.hcl`: - `job "vault-runner"`, `type = "batch"`. - `parameterized { meta_required = ["action_id", "secrets_csv"] }`. - Image: `disinto/agents:local` (same agent image, different entrypoint). - Entrypoint override: runs the formula specified by action_id. - **Dynamic Vault template**: reads `secrets_csv` meta, renders only the declared secrets. For each secret name in the CSV: `{{ with secret "kv/data/disinto/runner/<NAME>" }}{{ .Data.data.value }}{{ end }}`. - Note: Nomad templates can't iterate over runtime meta dynamically. Two approaches: - **A**: Pre-define templates for each possible secret (6 total: GITHUB_TOKEN, CODEBERG_TOKEN, etc.) with `error_on_missing_key = false`. All render; unused ones are empty. - **B**: Dispatcher constructs an env-file and passes it as a meta payload. - Prefer **A** — simpler, no payload size limits, policies enforce access anyway. - Vault policies: attached per-dispatch via the dispatcher setting `vault { policies = [...] }` based on the action TOML's `secrets=[...]`. - `resources { cpu = 500, memory = 1024 }` — formula execution headroom. - Cleanup: Nomad garbage-collects completed batch jobs automatically. ## Acceptance criteria - `nomad job validate nomad/jobs/vault-runner.hcl` clean. - `nomad job dispatch -meta action_id=test -meta secrets_csv=GITHUB_TOKEN vault-runner` creates a dispatch alloc that can read `kv/disinto/runner/GITHUB_TOKEN` (with a fixture value seeded). - Dispatch alloc runs and exits (exit 0 for a no-op formula). - `nomad job status vault-runner` shows the dispatch as completed. ## Non-goals - No dispatcher integration (S5.4 wires dispatcher.sh to call `nomad job dispatch`). - No PR-approval flow change (stays in Forgejo, unchanged). ## Labels / meta - `[nomad-step-5] S5.3` — no dependencies.