Skip to content

Backport of add interpolation support in env stanzas for secret providers into release/1.11.x#27621

Merged
mismithhisler merged 1 commit intorelease/1.11.xfrom
backport/feature/interpolation-in-env-block-of-custom-secret-plugins/lightly-first-egret
Mar 2, 2026
Merged

Backport of add interpolation support in env stanzas for secret providers into release/1.11.x#27621
mismithhisler merged 1 commit intorelease/1.11.xfrom
backport/feature/interpolation-in-env-block-of-custom-secret-plugins/lightly-first-egret

Conversation

@hc-github-team-nomad-core
Copy link
Contributor

@hc-github-team-nomad-core hc-github-team-nomad-core commented Mar 2, 2026

Backport

This PR is auto-generated from #27568 to be assessed for backporting due to the inclusion of the label backport/1.11.x.

The below text is copied from the body of the original PR.

Summary

  • Add variable interpolation support for env {} values in the secret stanza when using custom plugin providers
  • Enables references like ${secret.X.Y}, ${node.*}, and ${NOMAD_*} inside plugin env blocks
  • Template-based secrets (nomad, vault) resolve first, then their values are interpolated into plugin env maps before Fetch() is called

Context

#27569

Implementation

The interpolation machinery already exists in helper/args.ReplaceEnv and taskenv.TaskEnv.ReplaceEnv — it just wasn't wired up for the secret.env block.

Changes:

  1. Add SetEnv(map[string]string) to the SecretsPlugin interface and implement it on externalSecretsPlugin. This allows updating a plugin's environment variables after construction.
  2. Add InterpolateEnv(rawEnv, interpolate) to ExternalPluginProvider. Applies an interpolation function to all env values and updates the underlying plugin via SetEnv.
  3. client/allocrunner/taskrunner/secrets_hook.go — Two changes:
    • buildSecretProviders() now also returns the raw env maps alongside the plugin providers
    • Prestart() interpolates plugin env values after h.envBuilder.SetSecrets(m) (template secrets resolved) but before the plugin Fetch() loop, using taskEnv.ReplaceEnv which already supports ${secret.*}, ${node.*}, and ${NOMAD_*} references

Scope

  • Template-to-plugin interpolation only (nomad/vault secret → plugin env)
  • Plugin-to-plugin chaining (plugin A's secrets in plugin B's env) is not in scope — plugins are fetched sequentially, but env interpolation happens once before all fetches. This could be added later with per-plugin lazy interpolation if there's demand.

Testing

  • New integration test in secrets_hook_test.go: sets up a Nomad variable server returning token=my-secret-token, creates a bash plugin that echoes back ${SERVICE_TOKEN}, configures the plugin's env with SERVICE_TOKEN=${secret.creds.token}, and asserts the plugin receives the interpolated value
  • New unit test in plugin_provider_test.go: verifies InterpolateEnv correctly applies the interpolation function and calls SetEnv with the result
  • All existing tests continue to pass
Overview of commits

@mismithhisler mismithhisler merged commit e09b81c into release/1.11.x Mar 2, 2026
31 checks passed
@mismithhisler mismithhisler deleted the backport/feature/interpolation-in-env-block-of-custom-secret-plugins/lightly-first-egret branch March 2, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mismithhisler mismithhisler mismithhisler approved these changes

Assignees

@mismithhisler mismithhisler

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hc-github-team-nomad-core @mismithhisler @ubiquitousbyte