iamthefij/orchestration-tests
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: iamthefij:main
Branches Tags
iamthefij:main
iamthefij:gitea
iamthefij:immich
iamthefij:nomad-only-metrics
iamthefij:cepfs
iamthefij:syslog-proxy
iamthefij:post-bootstrap-improvements
iamthefij:consul-acls
iamthefij:vault-oidc-provider
iamthefij:authelia
iamthefij:step-ca
...
pull from: iamthefij:vault-oidc-provider
Branches Tags
iamthefij:main
iamthefij:gitea
iamthefij:immich
iamthefij:nomad-only-metrics
iamthefij:cepfs
iamthefij:syslog-proxy
iamthefij:post-bootstrap-improvements
iamthefij:consul-acls
iamthefij:vault-oidc-provider
iamthefij:authelia
iamthefij:step-ca

1 Commits
main ... vault-oidc

Author SHA1 Message Date
Ian Fijolek
40b0776ce9 WIP: Enable vault oidc provider 2022-07-26 20:14:48 -07:00
4 changed files with 87 additions and 0 deletions
Show Stats Expand all files Collapse all files

6
nomad/acls/acls.tf
View File

@ -4,3 +4,9 @@ resource "nomad_acl_policy" "create_post_bootstrap_policy" {
description = "Anon RW"
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
}
resource "nomad_acl_policy" "admin" {
name = "admin"
description = "admin policy with access to everything"
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
}

5
nomad/acls/vars.tf
View File

@ -15,3 +15,8 @@ variable "vault_token" {
sensitive = true
default = ""
}
variable "vault_admin_password" {
type = string
sensitive = true
}

16
nomad/acls/vault_login.tf
View File

@ -6,3 +6,19 @@ resource "vault_auth_backend" "userpass" {
listing_visibility = "unauth"
}
}
resource "vault_generic_secret" "admin_user" {
path = "auth/userpass/users/admin"
data_json = <<EOT
{
"password": "${var.vault_admin_password}",
"policies": "admin"
}
EOT
depends_on = [
vault_auth_backend.userpass,
vault_policy.admin,
]
}

60
nomad/acls/vault_oidc_provider.tf Normal file
View File

@ -0,0 +1,60 @@
# Create an identity for the admin user
resource "vault_identity_entity" "admin" {
name = "admin"
policies = ["admin"]
metadata = {
email = "admin@example.com"
}
depends_on = [
vault_policy.admin,
vault_generic_secret.admin_user,
]
}
# Tie the identity to the userpass
resource "vault_identity_entity_alias" "admin" {
name = "admin"
mount_accessor = vault_auth_backend.userpass.accessor
canonical_id = vault_identity_entity.admin.id
}
# Tie the identity to a group
resource "vault_identity_group" "admins" {
name = "admins"
member_entity_ids = [vault_identity_entity.admin.id]
}
# Create an oidc client
resource "vault_identity_oidc_assignment" "everyone" {
name = "everyone"
entity_ids = [
vault_identity_entity.admin.id,
]
group_ids = [
vault_identity_group.admins.id,
]
}
resource "vault_identity_oidc_key" "key" {
name = "key"
algorithm = "RS256"
rotation_period = 3600
verification_ttl = 7200
allowed_client_ids = ["*"]
}
resource "vault_identity_oidc_client" "consul" {
name = "consul"
redirect_uris = [
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback"
]
assignments = [
vault_identity_oidc_assignment.everyone.name
]
key = vault_identity_oidc_key.key.name
id_token_ttl = 2400
access_token_ttl = 7200
}