WIP: Initial WIP

2022-09-06 13:13:26 -07:00 · 2022-09-06 13:13:26 -07:00 · 90478831fb
commit 90478831fb
parent 045fbd1945
5 changed files with 122 additions and 1 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,50 @@
+---
+kind: pipeline
+name: publish
+
+trigger:
+  event:
+    - push
+    - tag
+  refs:
+    - refs/heads/master
+    - refs/tags/v*
+
+steps:
+  - name: push images
+    image: thegeeklab/drone-docker-buildx
+    settings:
+      repo: iamthefij/nomad-vault-login
+      auto_tag: true
+      platforms:
+        - linux/amd64
+        - linux/arm64
+        - linux/arm
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+
+---
+kind: pipeline
+name: notify
+
+depends_on:
+  - publish
+
+trigger:
+  status:
+    - failure
+
+steps:
+
+  - name: notify
+    image: drillster/drone-email
+    settings:
+      host:
+        from_secret: SMTP_HOST  # pragma: whitelist secret
+      username:
+        from_secret: SMTP_USER  # pragma: whitelist secret
+      password:
+        from_secret: SMTP_PASS  # pragma: whitelist secret
+      from: drone@iamthefij.com
--- a/10
+++ b/10
@ -0,0 +1,10 @@
+FROM python:3
+
+WORKDIR /app
+
+COPY ./requirements.txt /app/
+RUN pip install --no-cache-dir -r ./requirements.txt
+
+COPY ./main.py /app/
+
+CMD ["python", "main.py"]
--- a/README.md
+++ b/README.md
@ -1,3 +1,7 @@
 # nomad-vault-login

-Shim service allowing authenticating a Nomad session using Vault
+Shim service allowing authenticating a Nomad session using Vault
+
+The idea is that this service would be run along side Nomad and Vault and proxied on the same hostname so it can write to localstorage. It would then provide a form to allow authentication with Vault and then will retrieve the token and store that in the browser for Nomad to use.
+
+It is, as of now, completely untested and may not work at all.
--- a/main.py
+++ b/main.py
@ -0,0 +1,55 @@
+import os
+
+from flask import Flask
+from flask import request
+from hvac import Client
+
+
+VAULT_ADDR = os.getenv("VAULT_ADDR", "http://127.0.0.1:8200")
+NOMAD_ROLE = os.getenv("NOMAD_ROLE", "admin")
+
+
+app = Flask(__name__)
+
+
+@app.route('/')
+def root():
+    # TODO: Render a basic page that checks for existance of token in local storage and displays form
+    return f"""
+<html>
+<body>
+<a href="/login">Login</a>
+</form>
+</html>
+"""
+
+
+@app.route("/login", methods=["POST", "GET"])
+def login():
+    if request.method == "GET":
+        return f"""
+<html>
+<body>
+<form action="/login" method="POST">
+Username <input type="text" name="username"/>
+Password <input type="password" name="password"/>
+<input type="submit" value="Submit"/>
+</form>
+</html>
+"""
+    elif request.method == "POST":
+        client = Client(VAULT_ADDR)
+        username, password = request.form["username"], request.form["password"]
+        client.auth_userpass(username, password)
+        assert client.is_authenticated()
+        nomad_creds = client.read(f"nomad/creds/{NOMAD_ROLE}")
+        nomad_token = nomad_creds["data"]["secret_id"]
+        return f"""
+<html><head>
+<script>localStorage.setItem("nomadTokenSecret", "{nomad_token}");</script>
+</head>
+<body>Logged in. Go back now.</body></html>
+"""
+
+
+app.run(host="0.0.0.0", port=5000)
--- a/requirements.txt
+++ b/requirements.txt
@ -0,0 +1,2 @@
+flask
+hvac