Update Nomad and Vault ACLs
Now nomad is read only and tokens can be retrieved from Vault
This commit is contained in:
parent
92a30e6709
commit
25ec582eaf
@ -1,5 +0,0 @@
|
|||||||
resource "nomad_acl_policy" "create_post_bootstrap_policy" {
|
|
||||||
name = "anonymous"
|
|
||||||
description = "Anon RW"
|
|
||||||
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
|
|
||||||
}
|
|
4
nomad/acls/nomad-deploy-policy.hcl
Normal file
4
nomad/acls/nomad-deploy-policy.hcl
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
namespace "*" {
|
||||||
|
policy = "read"
|
||||||
|
capabilities = ["submit-job", "dispatch-job", "read-logs"]
|
||||||
|
}
|
18
nomad/acls/nomad_policies.tf
Normal file
18
nomad/acls/nomad_policies.tf
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
resource "nomad_acl_policy" "anon_policy" {
|
||||||
|
name = "anonymous"
|
||||||
|
description = "Anon RO"
|
||||||
|
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "nomad_acl_policy" "admin" {
|
||||||
|
name = "admin"
|
||||||
|
description = "Admin RW for admins"
|
||||||
|
rules_hcl = file("${path.module}/nomad-admin-policy.hcl")
|
||||||
|
}
|
||||||
|
|
||||||
|
# TODO: Limit this scope
|
||||||
|
resource "nomad_acl_policy" "deploy" {
|
||||||
|
name = "deploy"
|
||||||
|
description = "Admin RW"
|
||||||
|
rules_hcl = file("${path.module}/nomad-deploy-policy.hcl")
|
||||||
|
}
|
@ -8,27 +8,32 @@ resource "vault_nomad_secret_backend" "config" {
|
|||||||
backend = "nomad"
|
backend = "nomad"
|
||||||
description = "Nomad ACL"
|
description = "Nomad ACL"
|
||||||
token = nomad_acl_token.vault.secret_id
|
token = nomad_acl_token.vault.secret_id
|
||||||
|
|
||||||
|
default_lease_ttl_seconds = "3600"
|
||||||
|
max_lease_ttl_seconds = "7200"
|
||||||
|
max_ttl = "240"
|
||||||
|
ttl = "120"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Vault roles generating Nomad tokens
|
||||||
resource "vault_nomad_secret_role" "nomad-deploy" {
|
resource "vault_nomad_secret_role" "nomad-deploy" {
|
||||||
backend = vault_nomad_secret_backend.config.backend
|
backend = vault_nomad_secret_backend.config.backend
|
||||||
role = "nomad-deploy"
|
role = "nomad-deploy"
|
||||||
policies = ["nomad-deploy"]
|
# Nomad policies
|
||||||
|
policies = ["deploy"]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "vault_nomad_secret_role" "admin" {
|
resource "vault_nomad_secret_role" "admin-management" {
|
||||||
backend = vault_nomad_secret_backend.config.backend
|
backend = vault_nomad_secret_backend.config.backend
|
||||||
role = "admin-management"
|
role = "admin-management"
|
||||||
type = "management"
|
type = "management"
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "vault_policy" "nomad-deploy" {
|
resource "vault_nomad_secret_role" "admin" {
|
||||||
name = "nomad-deploy"
|
backend = vault_nomad_secret_backend.config.backend
|
||||||
policy = <<EOH
|
role = "admin"
|
||||||
path "nomad/creds/nomad-deploy" {
|
# Nomad policies
|
||||||
capabilities = ["read"]
|
policies = ["admin"]
|
||||||
}
|
|
||||||
EOH
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Nomad Vault token access
|
# Nomad Vault token access
|
||||||
@ -40,76 +45,3 @@ resource "vault_token_auth_backend_role" "nomad-cluster" {
|
|||||||
token_period = 259200
|
token_period = 259200
|
||||||
renewable = true
|
renewable = true
|
||||||
}
|
}
|
||||||
|
|
||||||
# Policy for clusters
|
|
||||||
resource "vault_policy" "nomad-task" {
|
|
||||||
name = "nomad-task"
|
|
||||||
policy = <<EOH
|
|
||||||
# This section grants all access on "secret/*". Further restrictions can be
|
|
||||||
# applied to this broad policy, as shown below.
|
|
||||||
path "kv/data/*" {
|
|
||||||
capabilities = ["create", "read", "update", "delete", "list"]
|
|
||||||
}
|
|
||||||
EOH
|
|
||||||
}
|
|
||||||
|
|
||||||
# Policy for nomad tokens
|
|
||||||
resource "vault_policy" "nomad-token" {
|
|
||||||
name = "nomad-server"
|
|
||||||
policy = <<EOH
|
|
||||||
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
|
||||||
# should be updated if "nomad-cluster" is not used.
|
|
||||||
path "auth/token/create/nomad-cluster" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow looking up "nomad-cluster" token role. The token role name should be
|
|
||||||
# updated if "nomad-cluster" is not used.
|
|
||||||
path "auth/token/roles/nomad-cluster" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow looking up the token passed to Nomad to validate # the token has the
|
|
||||||
# proper capabilities. This is provided by the "default" policy.
|
|
||||||
path "auth/token/lookup-self" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow looking up incoming tokens to validate they have permissions to access
|
|
||||||
# the tokens they are requesting. This is only required if
|
|
||||||
# `allow_unauthenticated` is set to false.
|
|
||||||
path "auth/token/lookup" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow revoking tokens that should no longer exist. This allows revoking
|
|
||||||
# tokens for dead tasks.
|
|
||||||
path "auth/token/revoke-accessor" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow checking the capabilities of our own token. This is used to validate the
|
|
||||||
# token upon startup.
|
|
||||||
path "sys/capabilities-self" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow our own token to be renewed.
|
|
||||||
path "auth/token/renew-self" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# This section grants all access on "secret/*". Further restrictions can be
|
|
||||||
# applied to this broad policy, as shown below.
|
|
||||||
path "kv/data/*" {
|
|
||||||
capabilities = ["create", "read", "update", "delete", "list"]
|
|
||||||
}
|
|
||||||
EOH
|
|
||||||
}
|
|
||||||
|
|
||||||
# Create a vault token for Nomad
|
|
||||||
# resource "vault_token" "nomad-token" {
|
|
||||||
# policies = ["nomad-server"]
|
|
||||||
# period = "72h"
|
|
||||||
# no_parent = true
|
|
||||||
# }
|
|
||||||
|
@ -10,7 +10,7 @@
|
|||||||
#
|
#
|
||||||
# mysql {
|
# mysql {
|
||||||
# # How to give access here?
|
# # How to give access here?
|
||||||
# connection_url = "{{username}}:{{password}}@tcp(localhost:3306)"
|
# connection_url = "{{username}}:{{password}}@tcp(mysql-server.service.consul:3306)"
|
||||||
# username = ""
|
# username = ""
|
||||||
# password = ""
|
# password = ""
|
||||||
# }
|
# }
|
||||||
|
@ -7,3 +7,77 @@ path "*" {
|
|||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "vault_policy" "nomad-deploy" {
|
||||||
|
name = "nomad-deploy"
|
||||||
|
policy = <<EOH
|
||||||
|
path "nomad/creds/nomad-deploy" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
}
|
||||||
|
|
||||||
|
# Policy for clusters
|
||||||
|
resource "vault_policy" "nomad-task" {
|
||||||
|
name = "nomad-task"
|
||||||
|
policy = <<EOH
|
||||||
|
path "kv/data/*" {
|
||||||
|
# Does this need create, update, delete?
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
}
|
||||||
|
|
||||||
|
# Policy for nomad tokens
|
||||||
|
resource "vault_policy" "nomad-server" {
|
||||||
|
name = "nomad-server"
|
||||||
|
policy = <<EOH
|
||||||
|
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
||||||
|
# should be updated if "nomad-cluster" is not used.
|
||||||
|
path "auth/token/create/nomad-cluster" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up "nomad-cluster" token role. The token role name should be
|
||||||
|
# updated if "nomad-cluster" is not used.
|
||||||
|
path "auth/token/roles/nomad-cluster" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up the token passed to Nomad to validate # the token has the
|
||||||
|
# proper capabilities. This is provided by the "default" policy.
|
||||||
|
path "auth/token/lookup-self" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow looking up incoming tokens to validate they have permissions to access
|
||||||
|
# the tokens they are requesting. This is only required if
|
||||||
|
# `allow_unauthenticated` is set to false.
|
||||||
|
path "auth/token/lookup" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow revoking tokens that should no longer exist. This allows revoking
|
||||||
|
# tokens for dead tasks.
|
||||||
|
path "auth/token/revoke-accessor" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow checking the capabilities of our own token. This is used to validate the
|
||||||
|
# token upon startup.
|
||||||
|
path "sys/capabilities-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allow our own token to be renewed.
|
||||||
|
path "auth/token/renew-self" {
|
||||||
|
capabilities = ["update"]
|
||||||
|
}
|
||||||
|
|
||||||
|
# This section grants all access on "secret/*". Further restrictions can be
|
||||||
|
# applied to this broad policy, as shown below.
|
||||||
|
path "kv/data/*" {
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list"]
|
||||||
|
}
|
||||||
|
EOH
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user