Update for vault cleanup
This commit is contained in:
parent
9d8cff3214
commit
8df5891d54
|
@ -49,18 +49,16 @@ job "bounca" {
|
|||
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.bounca-public.entrypoints=https",
|
||||
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
|
||||
"traefik.http.middlewares.csp-bounca-public.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca-public",
|
||||
|
||||
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)",
|
||||
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
|
||||
"traefik.http.routers.bounca.entrypoints=https",
|
||||
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
|
||||
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
|
||||
"traefik.http.middlewares.csp-bounca.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca",
|
||||
|
||||
]
|
||||
|
||||
|
@ -135,7 +133,7 @@ job "bounca" {
|
|||
template {
|
||||
data = <<_EOT
|
||||
BOUNCA_DB_NAME=bounca
|
||||
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
||||
BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
||||
LANG=fr_FR.utf8
|
||||
TZ=Europe/Paris
|
||||
_EOT
|
||||
|
@ -191,8 +189,8 @@ _EOT
|
|||
|
||||
template {
|
||||
data = <<_EOT
|
||||
BOUNCA_DB_USER={{ with secret "/database/creds/bounca" }}{{ .Data.username }}{{ end }}
|
||||
BOUNCA_DB_PASSWORD={{ with secret "/database/creds/bounca" }}{{ .Data.password }}{{ end }}
|
||||
BOUNCA_DB_USER={{ with secret "//database/creds/bounca" }}{{ .Data.username }}{{ end }}
|
||||
BOUNCA_DB_PASSWORD={{ with secret "//database/creds/bounca" }}{{ .Data.password }}{{ end }}
|
||||
BOUNCA_DB_PORT=5432
|
||||
_EOT
|
||||
destination = "secrets/.db.env"
|
||||
|
@ -246,7 +244,7 @@ _EOT
|
|||
template {
|
||||
data = <<_EOT
|
||||
BOUNCA_DB_NAME=bounca
|
||||
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
||||
BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
||||
LANG=fr_FR.utf8
|
||||
TZ=Europe/Paris
|
||||
_EOT
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
vault write database/roles/bounca \
|
||||
set -euo pipefailvault write /database/roles/bounca \
|
||||
db_name="postgres" \
|
||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||
GRANT \"bounca\" TO \"{{name}}\"; \
|
|
@ -1,19 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
|
||||
|
||||
if [ "bounca" != "bounca" ]; then
|
||||
for DIR in vault consul nomad; do
|
||||
if [ -d output/${DIR} ]; then
|
||||
for FILE in $(find output/${DIR} -name "*bounca*.hcl" -type f); do
|
||||
NEW_FILE=$(echo "${FILE}" | sed -E "s/bounca/bounca/g")
|
||||
mv "${FILE}" "${NEW_FILE}"
|
||||
done
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
|
|
@ -2,16 +2,21 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
# Initialize random passwords if needed
|
||||
# vim: syntax=sh
|
||||
|
||||
export LC_ALL=C
|
||||
VAULT_KV_PATH=/kv/service/bounca
|
||||
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||
vault kv put ${VAULT_KV_PATH} \
|
||||
django_secret="$(sh -c "${RAND_CMD}")" \
|
||||
|
||||
if ! vault kv list kv/service 2>/dev/null | grep -q -E '^bounca$'; then
|
||||
vault kv put kv/service/bounca \
|
||||
django_secret=$(pwgen -s -n 50 1)
|
||||
fi
|
||||
|
||||
for PWD in django_secret; do
|
||||
if ! vault kv get -field ${PWD} kv/service/bounca >/dev/null 2>&1; then
|
||||
vault kv patch kv/service/bounca \
|
||||
${PWD}=$(pwgen -s -n 50 1)
|
||||
for SECRET in django_secret; do
|
||||
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||
vault kv patch ${VAULT_KV_PATH} \
|
||||
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
path "kv/data/service/bounca" {
|
||||
path "/kv/data/service/bounca" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "database/creds/bounca" {
|
||||
path "/database/creds/bounca" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
[[- template "common/vault.mkpgrole.sh.tpl"
|
||||
dict "ctx" .
|
||||
"config" (dict "role" .instance "database" "postgres")
|
||||
]]
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
[[- template "common/vault.mkpgrole.sh" merge .bounca . ]]
|
|
@ -1 +0,0 @@
|
|||
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "bounca" .instance) ]]
|
|
@ -2,16 +2,4 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
# Initialize random passwords if needed
|
||||
|
||||
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
|
||||
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
||||
django_secret=$(pwgen -s -n 50 1)
|
||||
fi
|
||||
|
||||
for PWD in django_secret; do
|
||||
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
|
||||
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
||||
${PWD}=$(pwgen -s -n 50 1)
|
||||
fi
|
||||
done
|
||||
[[ template "common/vault.rand_secrets" merge .bounca . ]]
|
||||
|
|
|
@ -8,20 +8,24 @@ bounca:
|
|||
# The image to use
|
||||
image: danielberteaud/bounca:latest
|
||||
|
||||
# Vault policies to use
|
||||
vault:
|
||||
# Vault policies to use
|
||||
policies:
|
||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||
# Random secrets to generate
|
||||
rand_secrets:
|
||||
fields:
|
||||
- django_secret
|
||||
|
||||
postgres:
|
||||
database: '[[ .instance ]]'
|
||||
user: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
||||
password: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
||||
user: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
||||
password: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
||||
|
||||
# Env variable to pass to the container
|
||||
env:
|
||||
BOUNCA_DB_NAME: '[[ .bounca.postgres.database ]]'
|
||||
BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.prefix ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}'
|
||||
BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.root ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}'
|
||||
|
||||
# Public URL where user can reach the app
|
||||
public_url: https://pki.example.org
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
||||
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
||||
path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue