Various cleanups in policy + lease renewal

ctctl

@@ -156,16 +156,24 @@ auth_env(){
   # Check if we have a valid nomad token already
   if [ "$(check_nomad_token)" != "1" ]; then
     echo "Obtention d'un token pour Nomad"
-    export NOMAD_TOKEN=$(vault read -field=secret_id nomad/creds/${NOMAD_ROLE})
+    NOMAD_CREDS=$(vault read -format=json nomad/creds/${NOMAD_ROLE})
+    export NOMAD_TOKEN=$(echo -n ${NOMAD_CREDS} | jq -r .data.secret_id)
+    export NOMAD_LEASE=$(echo -n ${NOMAD_CREDS} | jq -r .lease_id)
+    unset NOMAD_CREDS
   else
-    echo "Le token Nomad actuel est valide"
+    echo "Le token Nomad actuel est valide, renouvellement du bail"
+    vault lease renew ${NOMAD_LEASE}
   fi
   # Check if we have a valid consul token already
   if [ "$(check_consul_token)" != "1" ]; then
     echo "Obtention d'un token pour Consul"
-    export CONSUL_HTTP_TOKEN=$(vault read -field=token consul/creds/${CONSUL_ROLE})
+    CONSUL_CREDS=$(vault read -format=json consul/creds/${CONSUL_ROLE})
+    export CONSUL_HTTP_TOKEN=$(echo -n ${CONSUL_CREDS} | jq -r .data.token)
+    export CONSUL_LEASE=$(echo -n ${CONSUL_CREDS} | jq -r .lease_id)
+    unset CONSUL_CREDS
   else
-    echo "Le token Consul actuel est valide"
+    echo "Le token Consul actuel est valide, renouvellement du bail"
+    vault lease renew ${CONSUL_LEASE}
   fi
 
   # Now setup loki
@@ -179,6 +187,25 @@ auth_env(){
   fi
 }
 
+renew_leases(){
+  # Renew vault token
+  if [ "$(check_vault_token)" == "1" ]; then
+    vault token renew > /dev/null
+  else
+    auth_env
+  fi
+  if [ -n "${NOMAD_LEASE}" -a "$(check_nomad_token)" == "1" ]; then
+    vault token renew ${NOMAD_LEASE} >/dev/null
+  else
+    auth_env
+  fi
+  if [ -n "${CONSUL_LEASE}" -a "$(check_consul_token)" == "1" ]; then
+    vault token renew ${CONSUL_LEASE} > /dev/null
+  else
+    auth_env
+  fi
+}
+
 # Logout from the current env
 logout_env(){
   if [ -z "${CT_DOMAIN}" ]; then
@@ -461,6 +488,7 @@ get_conf(){
 
 case $1 in
   current)
+    renew_leases
     current_env
     ;;
   auth)
@@ -470,9 +498,11 @@ case $1 in
     logout_env
     ;;
   ls|list)
+    renew_leases
     ls_env
     ;;
   prep)
+    renew_leases
     render_templates
     load_policies
     load_consul_services
@@ -480,21 +510,27 @@ case $1 in
     build_images
     ;;
   volumes)
+    renew_leases
     handle_volumes
     ;;
   build)
+    renew_leases
     build_images "$2" "force"
     ;;
   build-no-cache)
+    renew_leases
     build_images "$2" "force" "no-cache"
     ;;
   tokens)
+    renew_leases
     print_tokens
     ;;
   logs)
+    renew_leases
     job_logs "$@"
     ;;
   conf)
+    renew_leases
     get_merged_conf
     ;;
   *)

vault/policies/consul-server.hcl

@@ -26,10 +26,6 @@ path "/pki/connect/*" {
   capabilities = [ "create", "read", "update", "delete", "list" ]
 }
 
-path "/pki/consul/issue/consul-server" {
-  capabilities = [ "update" ]
-}
-
 path "auth/token/renew-self" {
   capabilities = [ "update" ]
 }

vault/policies/ct-server.hcl

@@ -0,0 +1,25 @@
+# Create Vault token with the nomad-server role
+path "auth/token/create/nomad-server" {
+  capabilities = ["update"]
+}
+
+# Create Vault token with the consul-server role
+path "auth/token/create/consul-server" {
+  capabilities = ["update"]
+}
+
+# Create Consul token with the nomad-server role
+path "consul/creds/nomad-server" {
+  capabilities = ["read"]
+}
+
+# Obtain a cert for Consul agent
+path "pki/consul/issue/consul-server" {
+  capabilities = [ "update" ]
+}
+
+# Obtain a cert for Nomad agent
+path "pki/nomad/issue/nomad-server" {
+  capabilities = [ "update" ]
+}
+

vault/policies/ct-worker.hcl

@@ -0,0 +1,8 @@
+path "auth/token/create/nomad-client" {
+  capabilities = ["update"]
+}
+
+path "auth/token/roles/nomad-client" {
+  capabilities = ["read"]
+}
+

vault/policies/nomad-server-tls.hcl

@@ -1,7 +1,10 @@
+# Obtain server cert for Nomad agent
 path "pki/nomad/issue/nomad-server" {
   capabilities = ["update"]
 }
+
 # Obtain client cert for Consul
 path "pki/consul/issue/nomad-client" {
   capabilities = ["update"]
 }
+