Get mysql root from vault

nomad/databases/mysql.nomad

@@ -56,6 +56,18 @@ job "mysql-server" {
     task "mysql-server" {
       driver = "docker"
 
+      config {
+        image = "mysql:8"
+        ports = ["db"]
+      }
+
+      vault {
+        policies = [
+          "access-tables",
+          "nomad-task",
+        ]
+      }
+
       volume_mount {
         volume = "mysql-data"
         destination = "/var/lib/mysql"
@@ -63,14 +75,18 @@ job "mysql-server" {
       }
 
       env = {
-        "MYSQL_ROOT_PASSWORD" = "supersecretpassword"
         # Allow connections from any host
         "MYSQL_ROOT_HOST" = "%"
       }
 
-      config {
-        image = "mysql:8"
-        ports = ["db"]
+      template {
+        data = <<EOH
+{{ with secret "kv/data/mysql" }}
+MYSQL_ROOT_PASSWORD={{ Data.data.root_password }}
+{{ end }}
+        EOH
+        destination = "secrets/db.env"
+        env = true
       }
 
       resources {