Update vault policies and load_config in auth_env
This commit is contained in:
parent
28edbbc425
commit
77ad7deea5
12
ctctl
12
ctctl
|
@ -139,7 +139,6 @@ switch_env(){
|
|||
esac
|
||||
|
||||
auth_env
|
||||
load_config
|
||||
|
||||
export PS1="[${CTCTL_DOMAIN} \[\e[${COLOR}m\](${CTCTL_ENV})\[\e[m\] \W]\$ "
|
||||
}
|
||||
|
@ -198,6 +197,7 @@ auth_env(){
|
|||
vault token renew > /dev/null 2>&1
|
||||
fi
|
||||
VAULT_TOKEN_INFO=$(vault read -format=json auth/token/lookup-self)
|
||||
# TODO make the role selection more generic
|
||||
if [ "$(echo $VAULT_TOKEN_INFO | jq '.data.policies | any(. == "admin-policy" or .== "admin")')" == "true" ]; then
|
||||
NOMAD_ROLE=admin
|
||||
CONSUL_ROLE=admin
|
||||
|
@ -214,7 +214,10 @@ auth_env(){
|
|||
# Note 1: as the template is using pkiCert, the cert won't be renewed, unless necessary
|
||||
# Note 2: don't pass CONSUL_CLIENT_CERT CONSUL_CLIENT_KEY and CONSUL_CACERT because they would prevent consul-template from starting
|
||||
# to get/renew the cert if they are absent, or expired
|
||||
env -u CONSUL_CLIENT_CERT -u CONSUL_CLIENT_KEY -u CONSUL_CACERT consul-template -config ~/.ctctl/${CTCTL_DOMAIN}/consul/consul-template.hcl -once
|
||||
env -u CONSUL_CLIENT_CERT \
|
||||
-u CONSUL_CLIENT_KEY \
|
||||
-u CONSUL_CACERT \
|
||||
consul-template -config ~/.ctctl/${CTCTL_DOMAIN}/consul/consul-template.hcl -once
|
||||
|
||||
# Get/renew cert for Nomad now
|
||||
consul-template -config ~/.ctctl/${CTCTL_DOMAIN}/nomad/consul-template.hcl -once
|
||||
|
@ -241,6 +244,8 @@ auth_env(){
|
|||
echo "Consul token is valid, renewing lease"
|
||||
vault lease renew ${CONSUL_LEASE} >/dev/null
|
||||
fi
|
||||
|
||||
load_config
|
||||
}
|
||||
|
||||
renew_leases(){
|
||||
|
@ -553,9 +558,6 @@ get_job_list(){
|
|||
echo $JOBS
|
||||
}
|
||||
|
||||
# Load configuration
|
||||
load_config
|
||||
|
||||
case $1 in
|
||||
current)
|
||||
current_env
|
||||
|
|
|
@ -13,6 +13,11 @@ path "consul/creds/nomad-server" {
|
|||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Create consul tokens, for backups
|
||||
path "consul/creds/backup" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Obtain a cert for Consul agent
|
||||
path "pki/consul/issue/consul-server" {
|
||||
capabilities = [ "update" ]
|
||||
|
@ -23,3 +28,12 @@ path "pki/nomad/issue/nomad-server" {
|
|||
capabilities = [ "update" ]
|
||||
}
|
||||
|
||||
# Create Nomad token, for backups
|
||||
path "nomad/creds/backup" {
|
||||
capabilities = [ "read" ]
|
||||
}
|
||||
|
||||
# Backup vault itself
|
||||
path "sys/storage/raft/snapshot" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue