From 8df5891d54680037514d374ea1097a4a64868e73 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 31 Jan 2024 12:29:56 +0100 Subject: [PATCH] Update for vault cleanup --- example/bounca.nomad.hcl | 20 ++++++++-------- example/init/{vault-bounca => vault-database} | 4 +--- example/prep.d/10-mv-conf.sh | 19 --------------- example/prep.d/10-rand-pwd.sh | 23 +++++++++++-------- example/vault/policies/bounca.hcl | 4 ++-- init/vault-bounca | 8 ------- init/vault-database | 5 ++++ prep.d/10-mv-conf.sh | 1 - prep.d/10-rand-pwd.sh | 14 +---------- variables.yml | 12 ++++++---- vault/policies/bounca.hcl | 4 ++-- 11 files changed, 42 insertions(+), 72 deletions(-) rename example/init/{vault-bounca => vault-database} (84%) delete mode 100755 example/prep.d/10-mv-conf.sh delete mode 100755 init/vault-bounca create mode 100755 init/vault-database delete mode 100755 prep.d/10-mv-conf.sh diff --git a/example/bounca.nomad.hcl b/example/bounca.nomad.hcl index d2f57c2..8ca3d0f 100644 --- a/example/bounca.nomad.hcl +++ b/example/bounca.nomad.hcl @@ -49,18 +49,16 @@ job "bounca" { "traefik.enable=true", "traefik.http.routers.bounca-public.entrypoints=https", - "traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", - "traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https", - "traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp", + "traefik.http.middlewares.csp-bounca-public.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", + "traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca-public", "traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)", "traefik.enable=true", - "traefik.http.routers.bounca.rule=Host(`pki.example.org`)", "traefik.http.routers.bounca.entrypoints=https", - "traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", - "traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https", - "traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp", + "traefik.http.routers.bounca.rule=Host(`pki.example.org`)", + "traefik.http.middlewares.csp-bounca.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", + "traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca", ] @@ -135,7 +133,7 @@ job "bounca" { template { data = <<_EOT BOUNCA_DB_NAME=bounca -BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }} +BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }} LANG=fr_FR.utf8 TZ=Europe/Paris _EOT @@ -191,8 +189,8 @@ _EOT template { data = <<_EOT -BOUNCA_DB_USER={{ with secret "/database/creds/bounca" }}{{ .Data.username }}{{ end }} -BOUNCA_DB_PASSWORD={{ with secret "/database/creds/bounca" }}{{ .Data.password }}{{ end }} +BOUNCA_DB_USER={{ with secret "//database/creds/bounca" }}{{ .Data.username }}{{ end }} +BOUNCA_DB_PASSWORD={{ with secret "//database/creds/bounca" }}{{ .Data.password }}{{ end }} BOUNCA_DB_PORT=5432 _EOT destination = "secrets/.db.env" @@ -246,7 +244,7 @@ _EOT template { data = <<_EOT BOUNCA_DB_NAME=bounca -BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }} +BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }} LANG=fr_FR.utf8 TZ=Europe/Paris _EOT diff --git a/example/init/vault-bounca b/example/init/vault-database similarity index 84% rename from example/init/vault-bounca rename to example/init/vault-database index 9c63427..1b69a10 100755 --- a/example/init/vault-bounca +++ b/example/init/vault-database @@ -1,8 +1,6 @@ #!/bin/sh -set -euo pipefail - -vault write database/roles/bounca \ +set -euo pipefailvault write /database/roles/bounca \ db_name="postgres" \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT \"bounca\" TO \"{{name}}\"; \ diff --git a/example/prep.d/10-mv-conf.sh b/example/prep.d/10-mv-conf.sh deleted file mode 100755 index fb7cdf1..0000000 --- a/example/prep.d/10-mv-conf.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -set -eu - - - -if [ "bounca" != "bounca" ]; then - for DIR in vault consul nomad; do - if [ -d output/${DIR} ]; then - for FILE in $(find output/${DIR} -name "*bounca*.hcl" -type f); do - NEW_FILE=$(echo "${FILE}" | sed -E "s/bounca/bounca/g") - mv "${FILE}" "${NEW_FILE}" - done - fi - done -fi - - - diff --git a/example/prep.d/10-rand-pwd.sh b/example/prep.d/10-rand-pwd.sh index 4f64846..2460286 100755 --- a/example/prep.d/10-rand-pwd.sh +++ b/example/prep.d/10-rand-pwd.sh @@ -2,16 +2,21 @@ set -euo pipefail -# Initialize random passwords if needed +# vim: syntax=sh + +export LC_ALL=C +VAULT_KV_PATH=/kv/service/bounca +RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50" +if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then + vault kv put ${VAULT_KV_PATH} \ + django_secret="$(sh -c "${RAND_CMD}")" \ -if ! vault kv list kv/service 2>/dev/null | grep -q -E '^bounca$'; then - vault kv put kv/service/bounca \ - django_secret=$(pwgen -s -n 50 1) fi - -for PWD in django_secret; do - if ! vault kv get -field ${PWD} kv/service/bounca >/dev/null 2>&1; then - vault kv patch kv/service/bounca \ - ${PWD}=$(pwgen -s -n 50 1) +for SECRET in django_secret; do + if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then + vault kv patch ${VAULT_KV_PATH} \ + ${SECRET}=$(sh -c "${RAND_CMD}") fi done + + diff --git a/example/vault/policies/bounca.hcl b/example/vault/policies/bounca.hcl index d8a9d3b..40cba3b 100644 --- a/example/vault/policies/bounca.hcl +++ b/example/vault/policies/bounca.hcl @@ -1,7 +1,7 @@ -path "kv/data/service/bounca" { +path "/kv/data/service/bounca" { capabilities = ["read"] } -path "database/creds/bounca" { +path "/database/creds/bounca" { capabilities = ["read"] } diff --git a/init/vault-bounca b/init/vault-bounca deleted file mode 100755 index c3cb7c3..0000000 --- a/init/vault-bounca +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -set -euo pipefail - -[[- template "common/vault.mkpgrole.sh.tpl" - dict "ctx" . - "config" (dict "role" .instance "database" "postgres") -]] diff --git a/init/vault-database b/init/vault-database new file mode 100755 index 0000000..f16cfde --- /dev/null +++ b/init/vault-database @@ -0,0 +1,5 @@ +#!/bin/sh + +set -euo pipefail + +[[- template "common/vault.mkpgrole.sh" merge .bounca . ]] diff --git a/prep.d/10-mv-conf.sh b/prep.d/10-mv-conf.sh deleted file mode 100755 index cf3b469..0000000 --- a/prep.d/10-mv-conf.sh +++ /dev/null @@ -1 +0,0 @@ -[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "bounca" .instance) ]] diff --git a/prep.d/10-rand-pwd.sh b/prep.d/10-rand-pwd.sh index 755047e..633b177 100755 --- a/prep.d/10-rand-pwd.sh +++ b/prep.d/10-rand-pwd.sh @@ -2,16 +2,4 @@ set -euo pipefail -# Initialize random passwords if needed - -if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then - vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \ - django_secret=$(pwgen -s -n 50 1) -fi - -for PWD in django_secret; do - if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then - vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \ - ${PWD}=$(pwgen -s -n 50 1) - fi -done +[[ template "common/vault.rand_secrets" merge .bounca . ]] diff --git a/variables.yml b/variables.yml index ff0a397..ee215be 100644 --- a/variables.yml +++ b/variables.yml @@ -8,20 +8,24 @@ bounca: # The image to use image: danielberteaud/bounca:latest - # Vault policies to use vault: + # Vault policies to use policies: - '[[ .instance ]][[ .consul.suffix ]]' + # Random secrets to generate + rand_secrets: + fields: + - django_secret postgres: database: '[[ .instance ]]' - user: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' - password: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' + user: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' + password: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' # Env variable to pass to the container env: BOUNCA_DB_NAME: '[[ .bounca.postgres.database ]]' - BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.prefix ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}' + BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.root ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}' # Public URL where user can reach the app public_url: https://pki.example.org diff --git a/vault/policies/bounca.hcl b/vault/policies/bounca.hcl index 4ec71e1..4b45679 100644 --- a/vault/policies/bounca.hcl +++ b/vault/policies/bounca.hcl @@ -1,7 +1,7 @@ -path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { +path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" { capabilities = ["read"] } -path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" { +path "[[ .vault.root ]]database/creds/[[ .instance ]]" { capabilities = ["read"] }