Various fixes and improvements
This commit is contained in:
parent
dcd8a1c53d
commit
771b8ab679
39
ctctl
39
ctctl
|
|
@ -153,18 +153,21 @@ auth_env(){
|
|||
kill -INT $$
|
||||
fi
|
||||
|
||||
NEED_LOGIN=0
|
||||
NEED_LOGIN=1
|
||||
if [ "$(check_vault_token)" != "1" ]; then
|
||||
if [ -n "${VAULT_TOKEN:-}" -a -e ~/.vault-token ]; then
|
||||
if [ -e ~/.vault-token ]; then
|
||||
# If VAULT_TOKEN is defined, unset it and try again. This is because we might
|
||||
# have a valid token in ~/.vault-token but an expired token is set in VAULT_TOKEN
|
||||
# and is taking precedence
|
||||
export VAULT_TOKEN=$(cat ~/.vault-token)
|
||||
if [ "$(check_vault_token)" != "1" ]; then
|
||||
NEED_LOGIN=1
|
||||
unset VAULT_TOKEN
|
||||
else
|
||||
NEED_LOGIN=0
|
||||
fi
|
||||
NEDD_LOGIN=1
|
||||
fi
|
||||
else
|
||||
NEED_LOGIN=0
|
||||
fi
|
||||
if [ "${NEED_LOGIN}" = "1" ]; then
|
||||
echo "You're not connected on vault. Please enter your account password"
|
||||
|
|
@ -282,11 +285,14 @@ load_policies(){
|
|||
fi
|
||||
for PFILE in $(ls ${DIR}/vault/policies/*.hcl 2>/dev/null); do
|
||||
if [ "${DIR}" = "./output" -a -e "$(echo ${PFILE} | sed -E 's|^\./output/|./|')" ]; then
|
||||
echo "Skiping ${FILE} as $(echo ${PFILE} | sed -E 's|^\./output/|./|') will take precedence"
|
||||
echo "Skiping ${PFILE} as $(echo ${PFILE} | sed -E 's|^\./output/|./|') will take precedence"
|
||||
continue
|
||||
elif [ \! -s "${PFILE}" ]; then
|
||||
echo "Skiping empty file ${PFILE}"
|
||||
continue
|
||||
fi
|
||||
PNAME=$(basename ${PFILE} .hcl)
|
||||
echo "Loading vault policy ${PNA}"
|
||||
echo "Loading vault policy ${PNAME}"
|
||||
replace_conf_var ${PFILE} | vault policy write ${PNAME} -
|
||||
done
|
||||
fi
|
||||
|
|
@ -301,6 +307,9 @@ load_policies(){
|
|||
if [ "${DIR}" = "./output" -a -e "$(echo ${PFILE} | sed -E 's|^\./output/|./|')" ]; then
|
||||
echo "Skiping ${FILE} as $(echo ${PFILE} | sed -E 's|^\./output/|./|') will take precedence"
|
||||
continue
|
||||
elif [ \! -s "${PFILE}" ]; then
|
||||
echo "Skiping empty file ${PFILE}"
|
||||
continue
|
||||
fi
|
||||
# Consul do not use the same command to create a new policy and to update an existing one
|
||||
# so we need to detect if the policy already exists
|
||||
|
|
@ -321,7 +330,10 @@ load_policies(){
|
|||
for PFILE in $(ls ${DIR}nomad/policies/*.hcl 2>/dev/null); do
|
||||
PNAME=$(basename ${PFILE} .hcl)
|
||||
if [ "${DIR}" = "./output" -a -e "$(echo ${PFILE} | sed -E 's|^\./output/|./|')" ]; then
|
||||
echo "Skiping ${FILE} as $(echo ${PFILE} | sed -E 's|^\./output/|./|') will take precedence"
|
||||
echo "Skiping ${PFILE} as $(echo ${PFILE} | sed -E 's|^\./output/|./|') will take precedence"
|
||||
continue
|
||||
elif [ \! -s "${PFILE}" ]; then
|
||||
echo "Skiping empty file ${PFILE}"
|
||||
continue
|
||||
fi
|
||||
echo "Loading Nomad policy ${PNAME}"
|
||||
|
|
@ -346,6 +358,9 @@ load_consul_conf(){
|
|||
if [ "${DIR}" = "./output" -a -e "$(echo ${FILE} | sed -E 's|^\./output/|./|')" ]; then
|
||||
echo "Skiping ${FILE} as $(echo ${FILE} | sed -E 's|^\./output/|./|') will take precedence"
|
||||
continue
|
||||
elif [ \! -s "${FILE}" ]; then
|
||||
echo "Skiping empty file ${FILE}"
|
||||
continue
|
||||
fi
|
||||
echo "Loading consul conf from ${FILE}"
|
||||
TEMP=$(mktemp)
|
||||
|
|
@ -362,6 +377,9 @@ load_consul_conf(){
|
|||
if [ "${DIR}" = "./output" -a -e "$(echo ${FILE} | sed -E 's|^\./output/|./|')" ]; then
|
||||
echo "Skiping ${FILE} as $(echo ${FILE} | sed -E 's|^\./output/|./|') will take precedence"
|
||||
continue
|
||||
elif [ \! -s "${FILE}" ]; then
|
||||
echo "Skiping empty file ${FILE}"
|
||||
continue
|
||||
fi
|
||||
echo "Loading consul conf from ${FILE}"
|
||||
TEMP=$(mktemp)
|
||||
|
|
@ -510,6 +528,8 @@ render_templates(){
|
|||
|
||||
# Use [[ and ]] so it won't clash with consul-template fragments
|
||||
local GOMPLATE_COMMON_ARGS=(--left-delim '[[' --right-delim ']]')
|
||||
# Setup a vault datasource
|
||||
GOMPLATE_COMMON_ARGS+=(-d vault=vault:///)
|
||||
# The context will merge various configuration files to get the variables used to render the templates
|
||||
GOMPLATE_COMMON_ARGS+=(--context)
|
||||
|
||||
|
|
@ -563,6 +583,11 @@ render_templates(){
|
|||
# First, cleanup any previously rendered files
|
||||
rm -rf output ./*.nomad ./*.nomad.hcl
|
||||
gomplate "${GOMPLATE_COMMON_ARGS[@]}" "${GOMPLATE_BUNDLE_ARGS[@]}"
|
||||
# Render a second time job files. This is a bit hacky, but allows
|
||||
# configuration to refer to other configuration key
|
||||
for JOB in ./*.nomad.hcl; do
|
||||
grep -q '[[' ${JOB} && gomplate "${GOMPLATE_COMMON_ARGS[@]}" -f ${JOB} -o ${JOB}
|
||||
done
|
||||
|
||||
for IMGDIR in $(find . -name images -type d); do
|
||||
for DOCKER_IMAGE in $(find ${IMGDIR} -mindepth 1 -maxdepth 1 -type d); do
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ path "/pki/*" {
|
|||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
|
||||
# Manage consul, nomad and databases secrets
|
||||
path "/consul/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
|
|
@ -56,6 +57,10 @@ path "/nomad/*" {
|
|||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
|
||||
path "/database/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||
}
|
||||
|
||||
|
||||
# Manage secrets engines
|
||||
path "sys/mounts/*" {
|
||||
|
|
|
|||
Loading…
Reference in New Issue