kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-01 16:05:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
53b083b8c5e09c8f12ae6a9db9fe6f88e75c2d12
nomad/website/content/api-docs/operator/keyring.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

267 lines
6.8 KiB
Plaintext
Raw Blame History

---
layout: api
page_title: Keyring - Operator - HTTP API
description: |-
The /operator/keyring endpoints provide tools for Nomad operators to interact with the root keyring.
---
# Keyring Operator HTTP API
The `/operator/keyring` endpoints manage encryption root keys used for storing
variables and signing workload identities, including examining active encryption
keys, rotating keys, or removing unused keys.
See the [Key Management] documentation for information how these capabilities
are used. For instructions on how to use the CLI to perform these operations
manually, please see the documentation for the [`nomad operator root keyring`]
commands.
## List Active Public Keys
This endpoint retrieves a list of active public keys used to sign [workload
identities][wi]. The response is in the [JWKS][rfc7517] format as is commonly
used by JWT auth methods.
| Method | Path | Produces |
|--------|-----------------------------|--------------------|
| `GET` | `/.well-known/jwks.json` | `application/json` |
The table below shows this endpoint's support for [blocking queries] and
[required ACLs].
| Blocking Queries | ACL Required |
|------------------|--------------|
| `YES` | `none` |
### Sample Request
```shell-session
$ nomad operator api '/.well-known/jwks.json'
```
### Sample Response
```json
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "15a95f48-001a-8be5-5da9-d94901d022c9",
"alg": "RS256",
"n": "6sImUQR6A...FB7bKn02dKw",
"e": "AQAB"
},
{
"use": "sig",
"kty": "RSA",
"kid": "b7f6a3a7-14f9-4ac5-f713-32c9bce1fa93",
"alg": "RS256",
"n": "zEdiUB3DFuM...ii3kQvOf_eDApBDWJhfQw",
"e": "AQAB"
}
]
}
```
## OIDC Discovery
This endpoint retrieves [OIDC configuration metadata][oidc-disco] for using
[workload identities][wi] with third party services. Nomad will act as an
identity provider (IDP) to allow third parties to authenticate workload
identity JWTs based on the OIDC configurationa and JWKS.
Most third parties will require this endpoint be accessible through a
publically resolvable domain name and HTTPS signed by a trusted certificate
authority.
You must set the [`oidc_issuer`][oidc_issuer] Server agent configuration
parameter before this endpoint is enabled. In most situations you will also
need to run a proxy or load balancer for in front of this endpoint to serve the
contents with HTTPS using a trusted certificate.
| Method | Path | Produces |
|--------|-------------------------------------|--------------------|
| `GET` | `/.well-known/openid-configuration` | `application/json` |
The table below shows this endpoint's support for [blocking queries] and
[required ACLs].
| Blocking Queries | ACL Required |
|------------------|--------------|
| `NO` | `none` |
### Sample Request
```shell-session
$ nomad operator api '/.well-known/openid-configuration'
```
### Sample Response
```json
{
"id_token_signing_alg_values_supported": [
"RS256",
"EdDSA"
],
"issuer": "http://example.com",
"jwks_uri": "http://example.com/.well-known/jwks.json",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
]
}
```
## List Keys
This endpoint retrieves a list of root keys known to the cluster. Note that only
key metadata is returned and the key material is never made available via the
HTTP API.
| Method | Path | Produces |
|--------|-----------------------------|--------------------|
| `GET` | `/v1/operator/keyring/keys` | `application/json` |
The table below shows this endpoint's support for [blocking queries] and
[required ACLs].
| Blocking Queries | ACL Required |
|------------------|--------------|
| `YES` | `management` |
### Sample Request
```shell-session
$ curl \
https://localhost:4646/v1/operator/keyring/keys
```
### Sample Response
```json
[
{
"Algorithm": "aes256-gcm",
"CreateIndex": 13,
"CreateTime": 1662665630638648800,
"KeyID": "26cbda57-e01e-188d-5f39-b6e3fca95a5b",
"ModifyIndex": 13,
"State": "active"
},
{
"Algorithm": "aes256-gcm",
"CreateIndex": 6,
"CreateTime": 1662665528857979100,
"KeyID": "64b96f4b-f167-f2dd-9148-7867f7e420e3",
"ModifyIndex": 12,
"State": "inactive"
},
{
"Algorithm": "aes256-gcm",
"CreateIndex": 12,
"CreateTime": 1662665624108063000,
"KeyID": "f9725e52-9b49-5b55-a8eb-083e23db4a3e",
"ModifyIndex": 13,
"State": "inactive"
}
]
```
## Rotate Key
This endpoint forces the server to rotate the active root key.
| Method | Path | Produces |
|--------|-------------------------------|--------------------|
| `PUT` | `/v1/operator/keyring/rotate` | `application/json` |
The table below shows this endpoint's support for [blocking queries] and
[required ACLs].
| Blocking Queries | ACL Required |
|------------------|--------------|
| `NO` | `management` |
### Parameters
- `full` `(bool: false)` - Decrypt all existing variables and re-encrypt with
the new key. This API request will immediately return and the re-encryption
process will run asynchronously on the leader.
### Sample Request
```shell-session
$ curl \
-XPUT \
https://localhost:4646/v1/operator/keyring/rotate
```
### Sample Response
```json
{
"Index": 13,
"Key": {
"Algorithm": "aes256-gcm",
"CreateIndex": 0,
"CreateTime": 1662665630638648800,
"KeyID": "26cbda57-e01e-188d-5f39-b6e3fca95a5b",
"ModifyIndex": 0,
"State": "active"
}
}
```
## Delete Key
This endpoint deletes a root key in the `inactive` state.
| Method | Path | Produces |
|----------|------------------------------------|--------------------|
| `DELETE` | `/v1/operator/keyring/key/:key_id` | `application/json` |
The table below shows this endpoint's support for [blocking queries] and
[required ACLs].
| Blocking Queries | ACL Required |
|------------------|--------------|
| `NO` | `management` |
### Parameters
- `force` `(bool: false)` - Remove the key even if it was used to sign an existing variable
or workload identity.
### Sample Request
```shell-session
$ curl \
-XDELETE \
https://localhost:4646/v1/operator/keyring/key/68237d9-1770-4d34-9c41-1f220107fc10
```
### Sample Response
```json
{
"Index": 16
}
```
[Key Management]: /nomad/docs/manage/key-management
[`nomad operator root keyring`]: /nomad/commands/operator/root/keyring-rotate
[blocking queries]: /nomad/api-docs#blocking-queries
[oidc-disco]: https://openid.net/specs/openid-connect-discovery-1_0.html
[oidc_issuer]: /nomad/docs/configuration/server#oidc_issuer
[required ACLs]: /nomad/api-docs#acls
[rfc7517]: https://datatracker.ietf.org/doc/html/rfc7517
[wi]: /nomad/docs/concepts/workload-identity
Reference in New Issue View Git Blame Copy Permalink