Add stunnel for ldap as part of service template

This commit is contained in:
IamTheFij 2023-07-06 17:16:36 -07:00
parent acc80868f9
commit 8650ab973a
2 changed files with 47 additions and 5 deletions

View File

@ -9,13 +9,13 @@ job "lldap" {
port "web" { port "web" {
host_network = "wesher" host_network = "wesher"
to = 17170
} }
port "ldap" { port "ldap" {
host_network = "wesher" host_network = "wesher"
to = 3890
} }
port "tls" {}
} }
service { service {
@ -24,6 +24,12 @@ job "lldap" {
port = "ldap" port = "ldap"
} }
service {
name = "lldap-tls"
provider = "nomad"
port = "tls"
}
service { service {
name = "ldap-admin" name = "ldap-admin"
provider = "nomad" provider = "nomad"
@ -39,7 +45,7 @@ job "lldap" {
driver = "docker" driver = "docker"
config { config {
image = "nitnelave/lldap:v0.4.3" image = "nitnelave/lldap:latest"
ports = ["ldap", "web"] ports = ["ldap", "web"]
args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"] args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
} }
@ -51,7 +57,7 @@ job "lldap" {
template { template {
data = <<EOH data = <<EOH
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .base_dn }}{{ end }}" ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"
{{ with nomadVar "nomad/jobs/lldap" -}} {{ with nomadVar "nomad/jobs/lldap" -}}
database_url = "mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}" database_url = "mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}"
@ -157,6 +163,7 @@ SELECT 'NOOP';
config { config {
image = "alpine:3.17" image = "alpine:3.17"
ports = ["tls"]
args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"] args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
} }
@ -180,6 +187,12 @@ syslog = no
foreground = yes foreground = yes
delay = yes delay = yes
[ldap_server]
accept = {{ env "NOMAD_PORT_tls" }}
connect = 127.0.0.1:{{ env "NOMAD_PORT_ldap" }}
ciphers = PSK
PSKsecrets = {{ env "NOMAD_TASK_DIR" }}/stunnel_psk.txt
[mysql_client] [mysql_client]
client = yes client = yes
accept = 127.0.0.1:3306 accept = 127.0.0.1:3306
@ -191,6 +204,15 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
destination = "${NOMAD_TASK_DIR}/stunnel.conf" destination = "${NOMAD_TASK_DIR}/stunnel.conf"
} }
template {
data = <<EOF
{{ with nomadVar "nomad/jobs/lldap/lldap/stunnel" -}}
{{ .allowed_psks }}
{{- end }}
EOF
destination = "${NOMAD_TASK_DIR}/stunnel_psk.txt"
}
template { template {
data = <<EOF data = <<EOF
{{- with nomadVar "nomad/jobs/lldap/lldap/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}} {{- with nomadVar "nomad/jobs/lldap/lldap/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}

View File

@ -267,6 +267,16 @@ accept = 127.0.0.1:6379
connect = {{ .Address }}:{{ .Port }} connect = {{ .Address }}:{{ .Port }}
{{- end }} {{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt
%{~ endif }
%{~ if use_ldap }
[ldap_client]
client = yes
accept = 127.0.0.1:389
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "lldap-tls" -}}
connect = {{ .Address }}:{{ .Port }}
{{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/ldap_stunnel_psk.txt
%{~ endif } %{~ endif }
EOF EOF
destination = "$${NOMAD_TASK_DIR}/stunnel.conf" destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
@ -274,21 +284,31 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt
%{~ if use_mysql } %{~ if use_mysql }
template { template {
# TODO: move psk to nomad/jobs/name/name/stunnel
data = <<EOF data = <<EOF
{{- with nomadVar "nomad/jobs/${name}" }}{{ .mysql_stunnel_psk }}{{ end -}} {{- with nomadVar "nomad/jobs/${name}" }}{{ .mysql_stunnel_psk }}{{ end -}}
EOF EOF
destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt" destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
} }
%{ endif } %{ endif }
%{~ if use_redis } %{~ if use_redis }
template { template {
# TODO: move psk to nomad/jobs/name/name/stunnel
data = <<EOF data = <<EOF
{{- with nomadVar "nomad/jobs/${name}" }}{{ .redis_stunnel_psk }}{{ end -}} {{- with nomadVar "nomad/jobs/${name}" }}{{ .redis_stunnel_psk }}{{ end -}}
EOF EOF
destination = "$${NOMAD_SECRETS_DIR}/redis_stunnel_psk.txt" destination = "$${NOMAD_SECRETS_DIR}/redis_stunnel_psk.txt"
} }
%{~ endif } %{~ endif }
%{~ if use_ldap }
template {
# TODO: move psk to nomad/jobs/name/name/stunnel
data = <<EOF
{{- with nomadVar "nomad/jobs/${name}" }}{{ .ldap_stunnel_psk }}{{ end -}}
EOF
destination = "$${NOMAD_SECRETS_DIR}/ldap_stunnel_psk.txt"
}
%{~ endif }
} }
%{~ endif } %{~ endif }
} }