Fix secrets access from nomad tasks

Probably can be cleaned up and updated to follow least access
This commit is contained in:
IamTheFij 2022-06-28 12:11:07 -07:00
parent 723b5fab78
commit 50dafc6b3e
2 changed files with 66 additions and 10 deletions

View File

@ -35,12 +35,24 @@ EOH
resource "vault_token_auth_backend_role" "nomad-cluster" { resource "vault_token_auth_backend_role" "nomad-cluster" {
role_name = "nomad-cluster" role_name = "nomad-cluster"
token_explicit_max_ttl = 0 token_explicit_max_ttl = 0
allowed_policies = ["access-tables"] allowed_policies = ["access-tables", "nomad-task"]
orphan = true orphan = true
token_period = 259200 token_period = 259200
renewable = true renewable = true
} }
# Policy for clusters
resource "vault_policy" "nomad-task" {
name = "nomad-task"
policy = <<EOH
# This section grants all access on "secret/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOH
}
# Policy for nomad tokens # Policy for nomad tokens
resource "vault_policy" "nomad-token" { resource "vault_policy" "nomad-token" {
name = "nomad-server" name = "nomad-server"
@ -86,6 +98,12 @@ path "sys/capabilities-self" {
path "auth/token/renew-self" { path "auth/token/renew-self" {
capabilities = ["update"] capabilities = ["update"]
} }
# This section grants all access on "secret/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOH EOH
} }

View File

@ -90,21 +90,43 @@ job "nextcloud" {
args = [ args = [
"/bin/bash", "/bin/bash",
"-c", "-c",
"/usr/bin/mysql -h${NOMAD_UPSTREAM_IP_mysql_server} -P${NOMAD_UPSTREAM_PORT_mysql_server} -uroot -psupersecretpassword < /bootstrap.sql", "/usr/bin/mysql --defaults-extra-file=/task/my.cnf < /task/bootstrap.sql",
] ]
mount { mount {
type = "bind" type = "bind"
source = "local/bootstrap.sql" source = "local/"
target = "/bootstrap.sql" target = "/task/"
} }
} }
vault {
policies = [
"access-tables",
"nomad-task",
]
}
template { template {
data = <<EOF data = <<EOF
CREATE DATABASE IF NOT EXISTS `${var.nextcloud_db}`; [client]
CREATE USER IF NOT EXISTS '${var.nextcloud_user}'@'%' IDENTIFIED BY '${var.nextcloud_pass}'; host={{ env "NOMAD_UPSTREAM_IP_mysql_server" }}
GRANT ALL ON `${var.nextcloud_db}`.* to '${var.nextcloud_user}'@'%'; port={{ env "NOMAD_UPSTREAM_PORT_mysql_server" }}
user=root
{{ with secret "kv/data/mysql" }}
password={{ .Data.data.root_password }}
{{ end }}
EOF
destination = "local/my.cnf"
}
template {
data = <<EOF
{{ with secret "kv/data/nextcloud" }}
CREATE DATABASE IF NOT EXISTS `{{ .Data.data.db_name }}`;
CREATE USER IF NOT EXISTS '{{ .Data.data.db_user }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass }}';
GRANT ALL ON `{{ .Data.data.db_name }}`.* to '{{ .Data.data.db_user }}'@'%';
{{ end }}
EOF EOF
destination = "local/bootstrap.sql" destination = "local/bootstrap.sql"
} }
@ -131,9 +153,25 @@ job "nextcloud" {
env = { env = {
"MYSQL_HOST" = "${NOMAD_UPSTREAM_ADDR_mysql_server}" "MYSQL_HOST" = "${NOMAD_UPSTREAM_ADDR_mysql_server}"
"MYSQL_DATABASE" = "${var.nextcloud_db}" }
"MYSQL_USER" = "${var.nextcloud_user}"
"MYSQL_PASSWORD" = "${var.nextcloud_pass}" vault {
policies = [
"access-tables",
"nomad-task",
]
}
template {
data = <<EOF
{{ with secret "kv/data/nextcloud" }}
MYSQL_DATABASE={{ .Data.data.db_name }}
MYSQL_USER={{ .Data.data.db_user }}
MYSQL_PASSWORD={{ .Data.data.db_pass }}
{{ end }}
EOF
destination = "secrets/db.env"
env = true
} }
resources { resources {