WIP: Initial WIP
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
IamTheFij 2022-09-06 13:13:26 -07:00
parent 045fbd1945
commit 90478831fb
5 changed files with 122 additions and 1 deletions

50
.drone.yml Normal file
View File

@ -0,0 +1,50 @@
---
kind: pipeline
name: publish
trigger:
event:
- push
- tag
refs:
- refs/heads/master
- refs/tags/v*
steps:
- name: push images
image: thegeeklab/drone-docker-buildx
settings:
repo: iamthefij/nomad-vault-login
auto_tag: true
platforms:
- linux/amd64
- linux/arm64
- linux/arm
username:
from_secret: docker_username
password:
from_secret: docker_password
---
kind: pipeline
name: notify
depends_on:
- publish
trigger:
status:
- failure
steps:
- name: notify
image: drillster/drone-email
settings:
host:
from_secret: SMTP_HOST # pragma: whitelist secret
username:
from_secret: SMTP_USER # pragma: whitelist secret
password:
from_secret: SMTP_PASS # pragma: whitelist secret
from: drone@iamthefij.com

10
Dockerfile Normal file
View File

@ -0,0 +1,10 @@
FROM python:3
WORKDIR /app
COPY ./requirements.txt /app/
RUN pip install --no-cache-dir -r ./requirements.txt
COPY ./main.py /app/
CMD ["python", "main.py"]

View File

@ -1,3 +1,7 @@
# nomad-vault-login
Shim service allowing authenticating a Nomad session using Vault
The idea is that this service would be run along side Nomad and Vault and proxied on the same hostname so it can write to localstorage. It would then provide a form to allow authentication with Vault and then will retrieve the token and store that in the browser for Nomad to use.
It is, as of now, completely untested and may not work at all.

55
main.py Normal file
View File

@ -0,0 +1,55 @@
import os
from flask import Flask
from flask import request
from hvac import Client
VAULT_ADDR = os.getenv("VAULT_ADDR", "http://127.0.0.1:8200")
NOMAD_ROLE = os.getenv("NOMAD_ROLE", "admin")
app = Flask(__name__)
@app.route('/')
def root():
# TODO: Render a basic page that checks for existance of token in local storage and displays form
return f"""
<html>
<body>
<a href="/login">Login</a>
</form>
</html>
"""
@app.route("/login", methods=["POST", "GET"])
def login():
if request.method == "GET":
return f"""
<html>
<body>
<form action="/login" method="POST">
Username <input type="text" name="username"/>
Password <input type="password" name="password"/>
<input type="submit" value="Submit"/>
</form>
</html>
"""
elif request.method == "POST":
client = Client(VAULT_ADDR)
username, password = request.form["username"], request.form["password"]
client.auth_userpass(username, password)
assert client.is_authenticated()
nomad_creds = client.read(f"nomad/creds/{NOMAD_ROLE}")
nomad_token = nomad_creds["data"]["secret_id"]
return f"""
<html><head>
<script>localStorage.setItem("nomadTokenSecret", "{nomad_token}");</script>
</head>
<body>Logged in. Go back now.</body></html>
"""
app.run(host="0.0.0.0", port=5000)

2
requirements.txt Normal file
View File

@ -0,0 +1,2 @@
flask
hvac