kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-02 00:15:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
9bcfe7bd36c50e711c349a50358cdac3fa0cceb7
nomad/website/content/api-docs/task-api.mdx
Aimee Ukasick 53b083b8c5 Docs: Nomad IA (#26063) 
* Move commands from docs to its own root-level directory

* temporarily use modified dev-portal branch with nomad ia changes

* explicitly clone nomad ia exp branch

* retrigger build, fixed dev-portal broken build

* architecture, concepts and get started individual pages

* fix get started section destinations

* reference section

* update repo comment in website-build.sh to show branch

* docs nav file update capitalization

* update capitalization to force deploy

* remove nomad-vs-kubernetes dir; move content to what is nomad pg

* job section

* Nomad operations category, deploy section

* operations category, govern section

* operations - manage

* operations/scale; concepts scheduling fix

* networking

* monitor

* secure section

* remote auth-methods folder and move up pages to sso; linkcheck

* Fix install2deploy redirects

* fix architecture redirects

* Job section: Add missing section index pages

* Add section index pages so breadcrumbs build correctly

* concepts/index fix front matter indentation

* move task driver plugin config to new deploy section

* Finish adding full URL to tutorials links in nav

* change SSO to Authentication in nav and file system

* Docs NomadIA: Move tutorials into NomadIA branch (#26132)

* Move governance and policy from tutorials to docs

* Move tutorials content to job-declare section

* run jobs section

* stateful workloads

* advanced job scheduling

* deploy section

* manage section

* monitor section

* secure/acl and secure/authorization

* fix example that contains an unseal key in real format

* remove images from sso-vault

* secure/traffic

* secure/workload-identities

* vault-acl change unseal key and root token in command output sample

* remove lines from sample output

* fix front matter

* move nomad pack tutorials to tools

* search/replace /nomad/tutorials links

* update acl overview with content from deleted architecture/acl

* fix spelling mistake

* linkcheck - fix broken links

* fix link to Nomad variables tutorial

* fix link to Prometheus tutorial

* move who uses Nomad to use cases page; move spec/config shortcuts

add dividers

* Move Consul out of Integrations; move namespaces to govern

* move integrations/vault to secure/vault; delete integrations

* move ref arch to docs; rename Deploy Nomad back to Install Nomad

* address feedback

* linkcheck fixes

* Fixed raw_exec redirect

* add info from /nomad/tutorials/manage-jobs/jobs

* update page content with newer tutorial

* link updates for architecture sub-folders

* Add redirects for removed section index pages. Fix links.

* fix broken links from linkcheck

* Revert to use dev-portal main branch instead of nomadIA branch

* build workaround: add intro-nav-data.json with single entry

* fix content-check error

* add intro directory to get around Vercel build error

* workound for emtpry directory

* remove mdx from /intro/ to fix content-check and git snafu

* Add intro index.mdx so Vercel build should work

---------

Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
2025-07-08 19:24:52 -05:00

110 lines
3.6 KiB
Plaintext
Raw Blame History

---
layout: api
page_title: Task HTTP API
description: |-
Jobs can access Nomad's HTTP API via the Task API.
---
# Task API
Nomad's Task API provides every task managed by Nomad with a Unix Domain Socket
(UDS) to access the local agent's HTTP API. Regardless of agent configuration
the Task API does *not* require [mTLS][], but *always* requires authentication.
See below for details.
The Unix Domain Socket is located at `${NOMAD_SECRETS_DIR}/api.sock`.
## Rationale
Nomad's HTTP API is available on every agent at the configured
[`bind_addr`][bind_addr]. While this is convenient for user access, it is not
always accessible to workloads running on Nomad. These workloads may have a
network configuration that makes it impossible to access the agent HTTP
address, or the agent's HTTP address may be difficult for workloads to discover
in a way that's portable between Nomad nodes and clusters.
A Unix Domain Socket is a way to expose network services that works with most
runtimes and operating systems and adds minimal complexity or runtime overhead
to Nomad.
## Security
Unlike the agent's HTTP API, the Task API *always requires authentication* even
if [ACLs][acl] are disabled. This allows Nomad to always make the Task API
available even if the workload is untrusted. If ACLs are enabled, the [anonymous
policy][anon] is not available via the Task API.
Both [ACL Tokens][acl-tokens] and [Workload Identities][workload-id] are
accepted. Once the Task API has authenticated the credentials, the normal
endpoint-specific authorization is applied when ACLs are enabled.
The Workload Identity should be used by tasks accessing the Task API.
An ACL Token should be used when an operator is accessing the Task API via
[`nomad alloc exec`][alloc-exec] or when a task is proxying Nomad HTTP requests
on behalf of an authenticated user. The Task API could be used by a proxy
presenting Nomad's UI with a standard TLS certificate for browsers.
If [`task.user`][task-user] is set in the jobspec, the Task API will only be
usable by that user. Otherwise the Unix Domain Socket is accessible by any
user.
mTLS is never enabled for the Task API since traffic never leaves the node.
## Using the Task API
The following jobspec will use the Task API to set [Dynamic Node Metadata][dnm]
and exit.
```hcl
job "taskapi-example" {
type = "batch"
group "taskapi-example" {
task "taskapi" {
driver = "docker"
config {
image = "curlimages/curl:7.87.0"
args = [
"--unix-socket", "${NOMAD_SECRETS_DIR}/api.sock",
"-H", "Authorization: Bearer ${NOMAD_TOKEN}",
"--data-binary", "{\"Meta\": {\"example\": \"Hello World!\"}}",
"--fail-with-body",
"--verbose",
"localhost/v1/client/metadata",
]
}
identity {
env = true
}
}
}
}
```
If the job was able to run successfully after about 10 seconds you can observe
the outcome by searching for the updated Node's metadata:
```shell-session
$ nomad node status -filter 'Meta.example == "Hello World!"'
```
## Limitations
- Using the Task API Unix Domain Socket on Windows [requires][windows] Windows
build 17063 or later.
[acl]: /nomad/docs/secure/acl/
[acl-tokens]: /nomad/docs/secure/acl/#tokens
[alloc-exec]: /nomad/commands/alloc/exec
[anon]: /nomad/docs/secure/acl#policies
[bind_addr]: /nomad/docs/configuration
[mTLS]: /nomad/docs/secure/traffic/tls
[task-user]: /nomad/docs/job-specification/task#user
[workload-id]: /nomad/docs/concepts/workload-identity
[windows]: https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/
[dnm]: /nomad/api-docs/client#update-dynamic-node-metadata
Reference in New Issue View Git Blame Copy Permalink