Update security todos and reference node IP for consul queries

This commit is contained in:
IamTheFij 2022-09-06 14:46:49 -07:00
parent ab1c9b41cd
commit 478f9c4c8f
6 changed files with 6 additions and 30 deletions

View File

@ -10,7 +10,7 @@ resource "nomad_acl_policy" "admin" {
rules_hcl = file("${path.module}/nomad-admin-policy.hcl") rules_hcl = file("${path.module}/nomad-admin-policy.hcl")
} }
# TODO: Limit this scope # TODO: (security) Limit this scope
resource "nomad_acl_policy" "deploy" { resource "nomad_acl_policy" "deploy" {
name = "deploy" name = "deploy"
description = "Write for job deployments" description = "Write for job deployments"

View File

@ -17,8 +17,6 @@ module "traefik" {
module "metrics" { module "metrics" {
source = "./metrics" source = "./metrics"
consul_address = var.consul_address
} }
module "loki" { module "loki" {

View File

@ -25,7 +25,6 @@ job "adminer" {
upstreams { upstreams {
destination_name = "mysql-server" destination_name = "mysql-server"
# TODO: how do I get these to not bind to the host eth0 address
local_bind_port = 4040 local_bind_port = 4040
} }

View File

@ -1,8 +1,3 @@
variable "consul_address" {
type = string
description = "address of consul server for dynamic scraping"
}
resource "nomad_job" "exporters" { resource "nomad_job" "exporters" {
hcl2 { hcl2 {
enabled = true enabled = true
@ -20,12 +15,6 @@ data "consul_nodes" "all-nodes" {
resource "nomad_job" "prometheus" { resource "nomad_job" "prometheus" {
hcl2 { hcl2 {
enabled = true enabled = true
vars = {
# TODO: May not need this because we have an env variable for that
# "consul_address" = "${var.consul_address}",
# TODO: Should this be a list?
"consul_address" = "http://${data.consul_nodes.all-nodes.nodes[0].address}:8500",
}
} }
jobspec = file("${path.module}/prometheus.nomad") jobspec = file("${path.module}/prometheus.nomad")

View File

@ -1,9 +1,3 @@
variable "consul_address" {
type = string
description = "Full address of Consul instance to get catalog from"
default = "http://127.0.0.1:5400"
}
job "prometheus" { job "prometheus" {
datacenters = ["dc1"] datacenters = ["dc1"]
@ -97,8 +91,7 @@ scrape_configs:
format: format:
- "prometheus" - "prometheus"
consul_sd_configs: consul_sd_configs:
- server: "${var.consul_address}" - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
# - server: "{{ env "CONSUL_HTTP_ADDR" }}"
services: services:
- "nomad-client" - "nomad-client"
@ -108,8 +101,7 @@ scrape_configs:
format: format:
- "prometheus" - "prometheus"
consul_sd_configs: consul_sd_configs:
- server: "${var.consul_address}" - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
# - server: "{{ env "CONSUL_HTTP_ADDR" }}"
services: services:
- "consul" - "consul"
relabel_configs: relabel_configs:
@ -120,8 +112,7 @@ scrape_configs:
- job_name: "exporters" - job_name: "exporters"
metrics_path: "/metrics" metrics_path: "/metrics"
consul_sd_configs: consul_sd_configs:
- server: "${var.consul_address}" - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
# - server: "{{ env "CONSUL_HTTP_ADDR" }}"
relabel_configs: relabel_configs:
- source_labels: [__meta_consul_service] - source_labels: [__meta_consul_service]
action: drop action: drop
@ -143,8 +134,7 @@ scrape_configs:
- job_name: "envoy" - job_name: "envoy"
metrics_path: "/metrics" metrics_path: "/metrics"
consul_sd_configs: consul_sd_configs:
- server: "${var.consul_address}" - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
# - server: "{{ env "CONSUL_HTTP_ADDR" }}"
relabel_configs: relabel_configs:
- source_labels: [__meta_consul_service] - source_labels: [__meta_consul_service]
action: keep action: keep

View File

@ -372,7 +372,7 @@
# Only talk to local Vault for now because it doesn't have HTTPS # Only talk to local Vault for now because it doesn't have HTTPS
nomad_vault_address: "http://127.0.0.1:8200" nomad_vault_address: "http://127.0.0.1:8200"
nomad_vault_create_from_role: "nomad-cluster" nomad_vault_create_from_role: "nomad-cluster"
# TODO: Probably want to restict this to a narrower scoped token # TODO: (security) Probably want to restict this to a narrower scoped token
nomad_vault_enabled: "{{ root_token is defined }}" nomad_vault_enabled: "{{ root_token is defined }}"
nomad_vault_token: "{{ root_token | default('') }}" nomad_vault_token: "{{ root_token | default('') }}"