Update to 2023-07-09 17:00

roles/vault_agent/templates/nomad/agent_bundle.pem.tpl.j2

@@ -2,8 +2,9 @@
 [[ .CA ]]
 [[ .Cert ]]
 [[ .Key ]]
-[[ .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]
-[[ .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0640" ]]
+[[ .Cert | writeToFile "{{ nomad_conf.tls.cert_file }}" "root" "{{ nomad_user }}" "0644" ]]
+[[ .CA | writeToFile "{{ nomad_conf.tls.cert_file }}" "" "" "0644" "append,newline" ]]
+[[ .Key | writeToFile "{{ nomad_conf.tls.key_file }}" "root" "{{ nomad_user }}" "0640" ]]
 [[ end ]]
 [[ with secret "{{ vault_agent_nomad.nomad_pki.path }}/cert/ca_chain" ]]
 [[ .Data.certificate | writeToFile "{{ nomad_conf.tls.ca_file }}" "{{ nomad_user }}" "{{ nomad_user }}" "0644" ]]

roles/vault_agent/templates/nomad/update_nomad_cert.sh.j2

@@ -13,7 +13,7 @@ elif [ "$(echo ${VAULT_STATUS} | jq .initialized)" != "true" ]; then
   echo "Vault is not initialized yet, exiting"
 else
   echo Updating Vault certificate to access Nomad API
-  vault write {{ vault_agent_nomad.nomad_pki.cli.secret_path }}/config/access \
+  vault write {{ vault_agent_nomad.nomad_pki.cli.secret_path | default('nomad') }}/config/access \
     ca_cert="$(cat {{ nomad_root_dir }}/tls/ca.crt)" \
     client_cert="$(cat {{ nomad_root_dir }}/tls/cli.crt)" \
     client_key="$(cat {{ nomad_root_dir }}/tls/cli.key)"