Fix secrets access from nomad tasks
Probably can be cleaned up and updated to follow least access
This commit is contained in:
parent
723b5fab78
commit
50dafc6b3e
@ -35,12 +35,24 @@ EOH
|
|||||||
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
||||||
role_name = "nomad-cluster"
|
role_name = "nomad-cluster"
|
||||||
token_explicit_max_ttl = 0
|
token_explicit_max_ttl = 0
|
||||||
allowed_policies = ["access-tables"]
|
allowed_policies = ["access-tables", "nomad-task"]
|
||||||
orphan = true
|
orphan = true
|
||||||
token_period = 259200
|
token_period = 259200
|
||||||
renewable = true
|
renewable = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Policy for clusters
|
||||||
|
resource "vault_policy" "nomad-task" {
|
||||||
|
name = "nomad-task"
|
||||||
|
policy = <<EOH
|
||||||
|
# This section grants all access on "secret/*". Further restrictions can be
|
||||||
|
# applied to this broad policy, as shown below.
|
||||||
|
path "kv/data/*" {
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
}
|
||||||
|
|
||||||
# Policy for nomad tokens
|
# Policy for nomad tokens
|
||||||
resource "vault_policy" "nomad-token" {
|
resource "vault_policy" "nomad-token" {
|
||||||
name = "nomad-server"
|
name = "nomad-server"
|
||||||
@ -86,6 +98,12 @@ path "sys/capabilities-self" {
|
|||||||
path "auth/token/renew-self" {
|
path "auth/token/renew-self" {
|
||||||
capabilities = ["update"]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This section grants all access on "secret/*". Further restrictions can be
|
||||||
|
# applied to this broad policy, as shown below.
|
||||||
|
path "kv/data/*" {
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list"]
|
||||||
|
}
|
||||||
EOH
|
EOH
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -90,21 +90,43 @@ job "nextcloud" {
|
|||||||
args = [
|
args = [
|
||||||
"/bin/bash",
|
"/bin/bash",
|
||||||
"-c",
|
"-c",
|
||||||
"/usr/bin/mysql -h${NOMAD_UPSTREAM_IP_mysql_server} -P${NOMAD_UPSTREAM_PORT_mysql_server} -uroot -psupersecretpassword < /bootstrap.sql",
|
"/usr/bin/mysql --defaults-extra-file=/task/my.cnf < /task/bootstrap.sql",
|
||||||
]
|
]
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
type = "bind"
|
type = "bind"
|
||||||
source = "local/bootstrap.sql"
|
source = "local/"
|
||||||
target = "/bootstrap.sql"
|
target = "/task/"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
vault {
|
||||||
|
policies = [
|
||||||
|
"access-tables",
|
||||||
|
"nomad-task",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<EOF
|
data = <<EOF
|
||||||
CREATE DATABASE IF NOT EXISTS `${var.nextcloud_db}`;
|
[client]
|
||||||
CREATE USER IF NOT EXISTS '${var.nextcloud_user}'@'%' IDENTIFIED BY '${var.nextcloud_pass}';
|
host={{ env "NOMAD_UPSTREAM_IP_mysql_server" }}
|
||||||
GRANT ALL ON `${var.nextcloud_db}`.* to '${var.nextcloud_user}'@'%';
|
port={{ env "NOMAD_UPSTREAM_PORT_mysql_server" }}
|
||||||
|
user=root
|
||||||
|
{{ with secret "kv/data/mysql" }}
|
||||||
|
password={{ .Data.data.root_password }}
|
||||||
|
{{ end }}
|
||||||
|
EOF
|
||||||
|
destination = "local/my.cnf"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOF
|
||||||
|
{{ with secret "kv/data/nextcloud" }}
|
||||||
|
CREATE DATABASE IF NOT EXISTS `{{ .Data.data.db_name }}`;
|
||||||
|
CREATE USER IF NOT EXISTS '{{ .Data.data.db_user }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass }}';
|
||||||
|
GRANT ALL ON `{{ .Data.data.db_name }}`.* to '{{ .Data.data.db_user }}'@'%';
|
||||||
|
{{ end }}
|
||||||
EOF
|
EOF
|
||||||
destination = "local/bootstrap.sql"
|
destination = "local/bootstrap.sql"
|
||||||
}
|
}
|
||||||
@ -131,9 +153,25 @@ job "nextcloud" {
|
|||||||
|
|
||||||
env = {
|
env = {
|
||||||
"MYSQL_HOST" = "${NOMAD_UPSTREAM_ADDR_mysql_server}"
|
"MYSQL_HOST" = "${NOMAD_UPSTREAM_ADDR_mysql_server}"
|
||||||
"MYSQL_DATABASE" = "${var.nextcloud_db}"
|
}
|
||||||
"MYSQL_USER" = "${var.nextcloud_user}"
|
|
||||||
"MYSQL_PASSWORD" = "${var.nextcloud_pass}"
|
vault {
|
||||||
|
policies = [
|
||||||
|
"access-tables",
|
||||||
|
"nomad-task",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOF
|
||||||
|
{{ with secret "kv/data/nextcloud" }}
|
||||||
|
MYSQL_DATABASE={{ .Data.data.db_name }}
|
||||||
|
MYSQL_USER={{ .Data.data.db_user }}
|
||||||
|
MYSQL_PASSWORD={{ .Data.data.db_pass }}
|
||||||
|
{{ end }}
|
||||||
|
EOF
|
||||||
|
destination = "secrets/db.env"
|
||||||
|
env = true
|
||||||
}
|
}
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
|
Loading…
Reference in New Issue
Block a user