Use workload identity

example/images/paperless-ngx/Dockerfile

@@ -114,7 +114,7 @@ RUN set -euxo pipefail &&\
     rm -f /usr/share/nltk_data/corpora/stopwords.zip /usr/share/nltk_data/tokenizers/punkt.zip /usr/share/nltk_data/tokenizers/punkt_tab.zip
 
 COPY root/ /
-COPY --from=danielberteaud/alpine:24.9-2 /usr/local/bin/minit /usr/local/bin/minit
+COPY --from=danielberteaud/alpine:24.9-3 /usr/local/bin/minit /usr/local/bin/minit
 
 EXPOSE ${PAPERLESS_PORT}
 USER paperless

example/paperless-ngx.nomad.hcl

@@ -84,7 +84,7 @@ job "paperless" {
       user   = 1053
 
       config {
-        image           = "danielberteaud/wait-for:24.8-1"
+        image           = "danielberteaud/wait-for:24.9-1"
         readonly_rootfs = true
         pids_limit      = 20
       }
@@ -162,7 +162,7 @@ _EOT
 
 
       vault {
-        policies     = ["paperless"]
+        role         = "paperless"
         env          = false
         disable_file = true
         change_mode  = "noop"
@@ -245,7 +245,7 @@ _EOT
 
 
       vault {
-        policies     = ["paperless"]
+        role         = "paperless"
         env          = false
         disable_file = true
         change_mode  = "noop"
@@ -324,7 +324,7 @@ _EOT
 
 
       vault {
-        policies     = ["paperless"]
+        role         = "paperless"
         env          = false
         disable_file = true
         change_mode  = "noop"
@@ -403,7 +403,7 @@ _EOT
 
 
       vault {
-        policies     = ["paperless"]
+        role         = "paperless"
         env          = false
         disable_file = true
         change_mode  = "noop"

example/vault/roles/paperless.json

@@ -0,0 +1,25 @@
+{
+  "bound_audiences": [
+    "vault.io"
+  ],
+  "bound_claims": {
+    "nomad_job_id": "paperless",
+    "nomad_namespace": "default"
+  },
+  "claim_mapping": {
+    "nomad_allocation_id": "nomad_allocation_id",
+    "nomad_job_id": "nomad_job_id",
+    "nomad_namespace": "nomad_namespace",
+    "nomad_task": "nomad_task"
+  },
+  "role_type": "jwt",
+  "token_explicit_max_ttl": 0,
+  "token_period": "1h",
+  "token_policies": [
+    "paperless"
+  ],
+  "token_type": "service",
+  "user_claim": "/nomad_allocation_id",
+  "user_claim_json_pointer": true
+}
+

variables.yml

@@ -16,9 +16,11 @@ paperless:
           local_bind_port: 5432
 
   vault:
-    # Vault policies to add to the containers
-    policies:
-      - '[[ .instance ]][[ .consul.suffix ]]'
+    workload_identity:
+      role:
+        # Vault policies to add to the containers
+        token_policies:
+          - '[[ .instance ]][[ .consul.suffix ]]'
     # Random secrets to generate and store in vault KV
     rand_secrets:
       fields:

vault/roles/paperless.json

@@ -0,0 +1 @@
+[[ template "common/vault.jwt_role" merge .paperless . ]]