Update Nomad and Vault ACLs
Now nomad is read only and tokens can be retrieved from Vault
This commit is contained in:
parent
5e4ca8efda
commit
64a9302276
@ -1,5 +0,0 @@
|
||||
resource "nomad_acl_policy" "create_post_bootstrap_policy" {
|
||||
name = "anonymous"
|
||||
description = "Anon RW"
|
||||
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
|
||||
}
|
4
acls/nomad-deploy-policy.hcl
Normal file
4
acls/nomad-deploy-policy.hcl
Normal file
@ -0,0 +1,4 @@
|
||||
namespace "*" {
|
||||
policy = "read"
|
||||
capabilities = ["submit-job", "dispatch-job", "read-logs"]
|
||||
}
|
18
acls/nomad_policies.tf
Normal file
18
acls/nomad_policies.tf
Normal file
@ -0,0 +1,18 @@
|
||||
resource "nomad_acl_policy" "anon_policy" {
|
||||
name = "anonymous"
|
||||
description = "Anon RO"
|
||||
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
|
||||
}
|
||||
|
||||
resource "nomad_acl_policy" "admin" {
|
||||
name = "admin"
|
||||
description = "Admin RW for admins"
|
||||
rules_hcl = file("${path.module}/nomad-admin-policy.hcl")
|
||||
}
|
||||
|
||||
# TODO: Limit this scope
|
||||
resource "nomad_acl_policy" "deploy" {
|
||||
name = "deploy"
|
||||
description = "Admin RW"
|
||||
rules_hcl = file("${path.module}/nomad-deploy-policy.hcl")
|
||||
}
|
@ -8,27 +8,32 @@ resource "vault_nomad_secret_backend" "config" {
|
||||
backend = "nomad"
|
||||
description = "Nomad ACL"
|
||||
token = nomad_acl_token.vault.secret_id
|
||||
|
||||
default_lease_ttl_seconds = "3600"
|
||||
max_lease_ttl_seconds = "7200"
|
||||
max_ttl = "240"
|
||||
ttl = "120"
|
||||
}
|
||||
|
||||
# Vault roles generating Nomad tokens
|
||||
resource "vault_nomad_secret_role" "nomad-deploy" {
|
||||
backend = vault_nomad_secret_backend.config.backend
|
||||
role = "nomad-deploy"
|
||||
policies = ["nomad-deploy"]
|
||||
# Nomad policies
|
||||
policies = ["deploy"]
|
||||
}
|
||||
|
||||
resource "vault_nomad_secret_role" "admin" {
|
||||
resource "vault_nomad_secret_role" "admin-management" {
|
||||
backend = vault_nomad_secret_backend.config.backend
|
||||
role = "admin-management"
|
||||
type = "management"
|
||||
}
|
||||
|
||||
resource "vault_policy" "nomad-deploy" {
|
||||
name = "nomad-deploy"
|
||||
policy = <<EOH
|
||||
path "nomad/creds/nomad-deploy" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOH
|
||||
resource "vault_nomad_secret_role" "admin" {
|
||||
backend = vault_nomad_secret_backend.config.backend
|
||||
role = "admin"
|
||||
# Nomad policies
|
||||
policies = ["admin"]
|
||||
}
|
||||
|
||||
# Nomad Vault token access
|
||||
@ -40,76 +45,3 @@ resource "vault_token_auth_backend_role" "nomad-cluster" {
|
||||
token_period = 259200
|
||||
renewable = true
|
||||
}
|
||||
|
||||
# Policy for clusters
|
||||
resource "vault_policy" "nomad-task" {
|
||||
name = "nomad-task"
|
||||
policy = <<EOH
|
||||
# This section grants all access on "secret/*". Further restrictions can be
|
||||
# applied to this broad policy, as shown below.
|
||||
path "kv/data/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
EOH
|
||||
}
|
||||
|
||||
# Policy for nomad tokens
|
||||
resource "vault_policy" "nomad-token" {
|
||||
name = "nomad-server"
|
||||
policy = <<EOH
|
||||
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
||||
# should be updated if "nomad-cluster" is not used.
|
||||
path "auth/token/create/nomad-cluster" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow looking up "nomad-cluster" token role. The token role name should be
|
||||
# updated if "nomad-cluster" is not used.
|
||||
path "auth/token/roles/nomad-cluster" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up the token passed to Nomad to validate # the token has the
|
||||
# proper capabilities. This is provided by the "default" policy.
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up incoming tokens to validate they have permissions to access
|
||||
# the tokens they are requesting. This is only required if
|
||||
# `allow_unauthenticated` is set to false.
|
||||
path "auth/token/lookup" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow revoking tokens that should no longer exist. This allows revoking
|
||||
# tokens for dead tasks.
|
||||
path "auth/token/revoke-accessor" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow checking the capabilities of our own token. This is used to validate the
|
||||
# token upon startup.
|
||||
path "sys/capabilities-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow our own token to be renewed.
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# This section grants all access on "secret/*". Further restrictions can be
|
||||
# applied to this broad policy, as shown below.
|
||||
path "kv/data/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
EOH
|
||||
}
|
||||
|
||||
# Create a vault token for Nomad
|
||||
# resource "vault_token" "nomad-token" {
|
||||
# policies = ["nomad-server"]
|
||||
# period = "72h"
|
||||
# no_parent = true
|
||||
# }
|
||||
|
@ -10,7 +10,7 @@
|
||||
#
|
||||
# mysql {
|
||||
# # How to give access here?
|
||||
# connection_url = "{{username}}:{{password}}@tcp(localhost:3306)"
|
||||
# connection_url = "{{username}}:{{password}}@tcp(mysql-server.service.consul:3306)"
|
||||
# username = ""
|
||||
# password = ""
|
||||
# }
|
||||
|
@ -7,3 +7,77 @@ path "*" {
|
||||
}
|
||||
EOF
|
||||
}
|
||||
|
||||
resource "vault_policy" "nomad-deploy" {
|
||||
name = "nomad-deploy"
|
||||
policy = <<EOH
|
||||
path "nomad/creds/nomad-deploy" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
EOH
|
||||
}
|
||||
|
||||
# Policy for clusters
|
||||
resource "vault_policy" "nomad-task" {
|
||||
name = "nomad-task"
|
||||
policy = <<EOH
|
||||
path "kv/data/*" {
|
||||
# Does this need create, update, delete?
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
EOH
|
||||
}
|
||||
|
||||
# Policy for nomad tokens
|
||||
resource "vault_policy" "nomad-server" {
|
||||
name = "nomad-server"
|
||||
policy = <<EOH
|
||||
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
||||
# should be updated if "nomad-cluster" is not used.
|
||||
path "auth/token/create/nomad-cluster" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow looking up "nomad-cluster" token role. The token role name should be
|
||||
# updated if "nomad-cluster" is not used.
|
||||
path "auth/token/roles/nomad-cluster" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up the token passed to Nomad to validate # the token has the
|
||||
# proper capabilities. This is provided by the "default" policy.
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up incoming tokens to validate they have permissions to access
|
||||
# the tokens they are requesting. This is only required if
|
||||
# `allow_unauthenticated` is set to false.
|
||||
path "auth/token/lookup" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow revoking tokens that should no longer exist. This allows revoking
|
||||
# tokens for dead tasks.
|
||||
path "auth/token/revoke-accessor" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow checking the capabilities of our own token. This is used to validate the
|
||||
# token upon startup.
|
||||
path "sys/capabilities-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow our own token to be renewed.
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# This section grants all access on "secret/*". Further restrictions can be
|
||||
# applied to this broad policy, as shown below.
|
||||
path "kv/data/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
EOH
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user