This commit is contained in:
parent
045fbd1945
commit
90478831fb
50
.drone.yml
Normal file
50
.drone.yml
Normal file
@ -0,0 +1,50 @@
|
||||
---
|
||||
kind: pipeline
|
||||
name: publish
|
||||
|
||||
trigger:
|
||||
event:
|
||||
- push
|
||||
- tag
|
||||
refs:
|
||||
- refs/heads/master
|
||||
- refs/tags/v*
|
||||
|
||||
steps:
|
||||
- name: push images
|
||||
image: thegeeklab/drone-docker-buildx
|
||||
settings:
|
||||
repo: iamthefij/nomad-vault-login
|
||||
auto_tag: true
|
||||
platforms:
|
||||
- linux/amd64
|
||||
- linux/arm64
|
||||
- linux/arm
|
||||
username:
|
||||
from_secret: docker_username
|
||||
password:
|
||||
from_secret: docker_password
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
name: notify
|
||||
|
||||
depends_on:
|
||||
- publish
|
||||
|
||||
trigger:
|
||||
status:
|
||||
- failure
|
||||
|
||||
steps:
|
||||
|
||||
- name: notify
|
||||
image: drillster/drone-email
|
||||
settings:
|
||||
host:
|
||||
from_secret: SMTP_HOST # pragma: whitelist secret
|
||||
username:
|
||||
from_secret: SMTP_USER # pragma: whitelist secret
|
||||
password:
|
||||
from_secret: SMTP_PASS # pragma: whitelist secret
|
||||
from: drone@iamthefij.com
|
10
Dockerfile
Normal file
10
Dockerfile
Normal file
@ -0,0 +1,10 @@
|
||||
FROM python:3
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
COPY ./requirements.txt /app/
|
||||
RUN pip install --no-cache-dir -r ./requirements.txt
|
||||
|
||||
COPY ./main.py /app/
|
||||
|
||||
CMD ["python", "main.py"]
|
@ -1,3 +1,7 @@
|
||||
# nomad-vault-login
|
||||
|
||||
Shim service allowing authenticating a Nomad session using Vault
|
||||
|
||||
The idea is that this service would be run along side Nomad and Vault and proxied on the same hostname so it can write to localstorage. It would then provide a form to allow authentication with Vault and then will retrieve the token and store that in the browser for Nomad to use.
|
||||
|
||||
It is, as of now, completely untested and may not work at all.
|
||||
|
55
main.py
Normal file
55
main.py
Normal file
@ -0,0 +1,55 @@
|
||||
import os
|
||||
|
||||
from flask import Flask
|
||||
from flask import request
|
||||
from hvac import Client
|
||||
|
||||
|
||||
VAULT_ADDR = os.getenv("VAULT_ADDR", "http://127.0.0.1:8200")
|
||||
NOMAD_ROLE = os.getenv("NOMAD_ROLE", "admin")
|
||||
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
@app.route('/')
|
||||
def root():
|
||||
# TODO: Render a basic page that checks for existance of token in local storage and displays form
|
||||
return f"""
|
||||
<html>
|
||||
<body>
|
||||
<a href="/login">Login</a>
|
||||
</form>
|
||||
</html>
|
||||
"""
|
||||
|
||||
|
||||
@app.route("/login", methods=["POST", "GET"])
|
||||
def login():
|
||||
if request.method == "GET":
|
||||
return f"""
|
||||
<html>
|
||||
<body>
|
||||
<form action="/login" method="POST">
|
||||
Username <input type="text" name="username"/>
|
||||
Password <input type="password" name="password"/>
|
||||
<input type="submit" value="Submit"/>
|
||||
</form>
|
||||
</html>
|
||||
"""
|
||||
elif request.method == "POST":
|
||||
client = Client(VAULT_ADDR)
|
||||
username, password = request.form["username"], request.form["password"]
|
||||
client.auth_userpass(username, password)
|
||||
assert client.is_authenticated()
|
||||
nomad_creds = client.read(f"nomad/creds/{NOMAD_ROLE}")
|
||||
nomad_token = nomad_creds["data"]["secret_id"]
|
||||
return f"""
|
||||
<html><head>
|
||||
<script>localStorage.setItem("nomadTokenSecret", "{nomad_token}");</script>
|
||||
</head>
|
||||
<body>Logged in. Go back now.</body></html>
|
||||
"""
|
||||
|
||||
|
||||
app.run(host="0.0.0.0", port=5000)
|
2
requirements.txt
Normal file
2
requirements.txt
Normal file
@ -0,0 +1,2 @@
|
||||
flask
|
||||
hvac
|
Loading…
Reference in New Issue
Block a user