Various cleanups in policy + lease renewal
This commit is contained in:
parent
ab827960bb
commit
32c0882b46
44
ctctl
44
ctctl
|
@ -156,16 +156,24 @@ auth_env(){
|
|||
# Check if we have a valid nomad token already
|
||||
if [ "$(check_nomad_token)" != "1" ]; then
|
||||
echo "Obtention d'un token pour Nomad"
|
||||
export NOMAD_TOKEN=$(vault read -field=secret_id nomad/creds/${NOMAD_ROLE})
|
||||
NOMAD_CREDS=$(vault read -format=json nomad/creds/${NOMAD_ROLE})
|
||||
export NOMAD_TOKEN=$(echo -n ${NOMAD_CREDS} | jq -r .data.secret_id)
|
||||
export NOMAD_LEASE=$(echo -n ${NOMAD_CREDS} | jq -r .lease_id)
|
||||
unset NOMAD_CREDS
|
||||
else
|
||||
echo "Le token Nomad actuel est valide"
|
||||
echo "Le token Nomad actuel est valide, renouvellement du bail"
|
||||
vault lease renew ${NOMAD_LEASE}
|
||||
fi
|
||||
# Check if we have a valid consul token already
|
||||
if [ "$(check_consul_token)" != "1" ]; then
|
||||
echo "Obtention d'un token pour Consul"
|
||||
export CONSUL_HTTP_TOKEN=$(vault read -field=token consul/creds/${CONSUL_ROLE})
|
||||
CONSUL_CREDS=$(vault read -format=json consul/creds/${CONSUL_ROLE})
|
||||
export CONSUL_HTTP_TOKEN=$(echo -n ${CONSUL_CREDS} | jq -r .data.token)
|
||||
export CONSUL_LEASE=$(echo -n ${CONSUL_CREDS} | jq -r .lease_id)
|
||||
unset CONSUL_CREDS
|
||||
else
|
||||
echo "Le token Consul actuel est valide"
|
||||
echo "Le token Consul actuel est valide, renouvellement du bail"
|
||||
vault lease renew ${CONSUL_LEASE}
|
||||
fi
|
||||
|
||||
# Now setup loki
|
||||
|
@ -179,6 +187,25 @@ auth_env(){
|
|||
fi
|
||||
}
|
||||
|
||||
renew_leases(){
|
||||
# Renew vault token
|
||||
if [ "$(check_vault_token)" == "1" ]; then
|
||||
vault token renew > /dev/null
|
||||
else
|
||||
auth_env
|
||||
fi
|
||||
if [ -n "${NOMAD_LEASE}" -a "$(check_nomad_token)" == "1" ]; then
|
||||
vault token renew ${NOMAD_LEASE} >/dev/null
|
||||
else
|
||||
auth_env
|
||||
fi
|
||||
if [ -n "${CONSUL_LEASE}" -a "$(check_consul_token)" == "1" ]; then
|
||||
vault token renew ${CONSUL_LEASE} > /dev/null
|
||||
else
|
||||
auth_env
|
||||
fi
|
||||
}
|
||||
|
||||
# Logout from the current env
|
||||
logout_env(){
|
||||
if [ -z "${CT_DOMAIN}" ]; then
|
||||
|
@ -461,6 +488,7 @@ get_conf(){
|
|||
|
||||
case $1 in
|
||||
current)
|
||||
renew_leases
|
||||
current_env
|
||||
;;
|
||||
auth)
|
||||
|
@ -470,9 +498,11 @@ case $1 in
|
|||
logout_env
|
||||
;;
|
||||
ls|list)
|
||||
renew_leases
|
||||
ls_env
|
||||
;;
|
||||
prep)
|
||||
renew_leases
|
||||
render_templates
|
||||
load_policies
|
||||
load_consul_services
|
||||
|
@ -480,21 +510,27 @@ case $1 in
|
|||
build_images
|
||||
;;
|
||||
volumes)
|
||||
renew_leases
|
||||
handle_volumes
|
||||
;;
|
||||
build)
|
||||
renew_leases
|
||||
build_images "$2" "force"
|
||||
;;
|
||||
build-no-cache)
|
||||
renew_leases
|
||||
build_images "$2" "force" "no-cache"
|
||||
;;
|
||||
tokens)
|
||||
renew_leases
|
||||
print_tokens
|
||||
;;
|
||||
logs)
|
||||
renew_leases
|
||||
job_logs "$@"
|
||||
;;
|
||||
conf)
|
||||
renew_leases
|
||||
get_merged_conf
|
||||
;;
|
||||
*)
|
||||
|
|
|
@ -26,10 +26,6 @@ path "/pki/connect/*" {
|
|||
capabilities = [ "create", "read", "update", "delete", "list" ]
|
||||
}
|
||||
|
||||
path "/pki/consul/issue/consul-server" {
|
||||
capabilities = [ "update" ]
|
||||
}
|
||||
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = [ "update" ]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
# Create Vault token with the nomad-server role
|
||||
path "auth/token/create/nomad-server" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Create Vault token with the consul-server role
|
||||
path "auth/token/create/consul-server" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Create Consul token with the nomad-server role
|
||||
path "consul/creds/nomad-server" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Obtain a cert for Consul agent
|
||||
path "pki/consul/issue/consul-server" {
|
||||
capabilities = [ "update" ]
|
||||
}
|
||||
|
||||
# Obtain a cert for Nomad agent
|
||||
path "pki/nomad/issue/nomad-server" {
|
||||
capabilities = [ "update" ]
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
path "auth/token/create/nomad-client" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
path "auth/token/roles/nomad-client" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
@ -1,7 +1,10 @@
|
|||
# Obtain server cert for Nomad agent
|
||||
path "pki/nomad/issue/nomad-server" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Obtain client cert for Consul
|
||||
path "pki/consul/issue/nomad-client" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue