From 77ad7deea538d87a6726806402cad498fed3477f Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Thu, 27 Jul 2023 11:46:42 +0200
Subject: [PATCH] Update vault policies and load_config in auth_env

---
 ctctl                        | 12 +++++++-----
 vault/policies/ct-server.hcl | 14 ++++++++++++++
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/ctctl b/ctctl
index b87422c..94e51b5 100755
--- a/ctctl
+++ b/ctctl
@@ -139,7 +139,6 @@ switch_env(){
   esac
 
   auth_env
-  load_config
 
   export PS1="[${CTCTL_DOMAIN} \[\e[${COLOR}m\](${CTCTL_ENV})\[\e[m\] \W]\$ "
 }
@@ -198,6 +197,7 @@ auth_env(){
     vault token renew > /dev/null 2>&1
   fi
   VAULT_TOKEN_INFO=$(vault read -format=json auth/token/lookup-self)
+  # TODO make the role selection more generic
   if [ "$(echo $VAULT_TOKEN_INFO | jq '.data.policies | any(. == "admin-policy" or .== "admin")')" == "true" ]; then
     NOMAD_ROLE=admin
     CONSUL_ROLE=admin
@@ -214,7 +214,10 @@ auth_env(){
   # Note 1: as the template is using pkiCert, the cert won't be renewed, unless necessary
   # Note 2: don't pass CONSUL_CLIENT_CERT CONSUL_CLIENT_KEY and CONSUL_CACERT because they would prevent consul-template from starting
   # to get/renew the cert if they are absent, or expired
-  env -u CONSUL_CLIENT_CERT -u CONSUL_CLIENT_KEY -u CONSUL_CACERT consul-template -config ~/.ctctl/${CTCTL_DOMAIN}/consul/consul-template.hcl -once
+  env -u CONSUL_CLIENT_CERT \
+      -u CONSUL_CLIENT_KEY \
+      -u CONSUL_CACERT \
+    consul-template -config ~/.ctctl/${CTCTL_DOMAIN}/consul/consul-template.hcl -once
 
   # Get/renew cert for Nomad now
   consul-template -config ~/.ctctl/${CTCTL_DOMAIN}/nomad/consul-template.hcl -once
@@ -241,6 +244,8 @@ auth_env(){
     echo "Consul token is valid, renewing lease"
     vault lease renew ${CONSUL_LEASE} >/dev/null
   fi
+
+  load_config
 }
 
 renew_leases(){
@@ -553,9 +558,6 @@ get_job_list(){
   echo $JOBS
 }
 
-# Load configuration
-load_config
-
 case $1 in
   current)
     current_env
diff --git a/vault/policies/ct-server.hcl b/vault/policies/ct-server.hcl
index 676f178..419f4d3 100644
--- a/vault/policies/ct-server.hcl
+++ b/vault/policies/ct-server.hcl
@@ -13,6 +13,11 @@ path "consul/creds/nomad-server" {
   capabilities = ["read"]
 }
 
+# Create consul tokens, for backups
+path "consul/creds/backup" {
+  capabilities = ["read"]
+}
+
 # Obtain a cert for Consul agent
 path "pki/consul/issue/consul-server" {
   capabilities = [ "update" ]
@@ -23,3 +28,12 @@ path "pki/nomad/issue/nomad-server" {
   capabilities = [ "update" ]
 }
 
+# Create Nomad token, for backups
+path "nomad/creds/backup" {
+  capabilities = [ "read" ]
+}
+
+# Backup vault itself
+path "sys/storage/raft/snapshot" {
+  capabilities = ["read"]
+}