nomad/bounca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update for vault cleanup

Browse Source
This commit is contained in:
Daniel Berteaud 2024-01-31 12:29:56 +01:00
parent 9d8cff3214
commit 8df5891d54
11 changed files with 42 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
example/bounca.nomad.hcl
View File

@ -49,18 +49,16 @@ job "bounca" {
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.bounca-public.entrypoints=https", "traefik.http.routers.bounca-public.entrypoints=https",
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", "traefik.http.middlewares.csp-bounca-public.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https", "traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca-public",
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)", "traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)",
"traefik.enable=true", "traefik.enable=true",
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
"traefik.http.routers.bounca.entrypoints=https", "traefik.http.routers.bounca.entrypoints=https",
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';", "traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https", "traefik.http.middlewares.csp-bounca.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp", "traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca",
] ]
@ -135,7 +133,7 @@ job "bounca" {
template { template {
data = <<_EOT data = <<_EOT
BOUNCA_DB_NAME=bounca BOUNCA_DB_NAME=bounca
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }} BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
LANG=fr_FR.utf8 LANG=fr_FR.utf8
TZ=Europe/Paris TZ=Europe/Paris
_EOT _EOT
@ -191,8 +189,8 @@ _EOT
template { template {
data = <<_EOT data = <<_EOT
BOUNCA_DB_USER={{ with secret "/database/creds/bounca" }}{{ .Data.username }}{{ end }} BOUNCA_DB_USER={{ with secret "//database/creds/bounca" }}{{ .Data.username }}{{ end }}
BOUNCA_DB_PASSWORD={{ with secret "/database/creds/bounca" }}{{ .Data.password }}{{ end }} BOUNCA_DB_PASSWORD={{ with secret "//database/creds/bounca" }}{{ .Data.password }}{{ end }}
BOUNCA_DB_PORT=5432 BOUNCA_DB_PORT=5432
_EOT _EOT
destination = "secrets/.db.env" destination = "secrets/.db.env"
@ -246,7 +244,7 @@ _EOT
template { template {
data = <<_EOT data = <<_EOT
BOUNCA_DB_NAME=bounca BOUNCA_DB_NAME=bounca
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }} BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
LANG=fr_FR.utf8 LANG=fr_FR.utf8
TZ=Europe/Paris TZ=Europe/Paris
_EOT _EOT

4
example/init/vault-bounca → example/init/vault-database
View File

@ -1,8 +1,6 @@
#!/bin/sh #!/bin/sh
set -euo pipefail set -euo pipefailvault write /database/roles/bounca \
vault write database/roles/bounca \
db_name="postgres" \ db_name="postgres" \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT \"bounca\" TO \"{{name}}\"; \ GRANT \"bounca\" TO \"{{name}}\"; \

19
example/prep.d/10-mv-conf.sh
View File

@ -1,19 +0,0 @@
#!/bin/sh
set -eu
if [ "bounca" != "bounca" ]; then
for DIR in vault consul nomad; do
if [ -d output/${DIR} ]; then
for FILE in $(find output/${DIR} -name "*bounca*.hcl" -type f); do
NEW_FILE=$(echo "${FILE}" | sed -E "s/bounca/bounca/g")
mv "${FILE}" "${NEW_FILE}"
done
fi
done
fi

23
example/prep.d/10-rand-pwd.sh
View File

@ -2,16 +2,21 @@
set -euo pipefail set -euo pipefail
# Initialize random passwords if needed # vim: syntax=sh
export LC_ALL=C
VAULT_KV_PATH=/kv/service/bounca
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
vault kv put ${VAULT_KV_PATH} \
django_secret="$(sh -c "${RAND_CMD}")" \
if ! vault kv list kv/service 2>/dev/null | grep -q -E '^bounca$'; then
vault kv put kv/service/bounca \
django_secret=$(pwgen -s -n 50 1)
fi fi
for SECRET in django_secret; do
for PWD in django_secret; do if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
if ! vault kv get -field ${PWD} kv/service/bounca >/dev/null 2>&1; then vault kv patch ${VAULT_KV_PATH} \
vault kv patch kv/service/bounca \ ${SECRET}=$(sh -c "${RAND_CMD}")
${PWD}=$(pwgen -s -n 50 1)
fi fi
done done

4
example/vault/policies/bounca.hcl
View File

@ -1,7 +1,7 @@
path "kv/data/service/bounca" { path "/kv/data/service/bounca" {
capabilities = ["read"] capabilities = ["read"]
} }
path "database/creds/bounca" { path "/database/creds/bounca" {
capabilities = ["read"] capabilities = ["read"]
} }

8
init/vault-bounca
View File

@ -1,8 +0,0 @@
#!/bin/sh
set -euo pipefail
[[- template "common/vault.mkpgrole.sh.tpl"
dict "ctx" .
"config" (dict "role" .instance "database" "postgres")
]]

5
init/vault-database Executable file
View File

@ -0,0 +1,5 @@
#!/bin/sh
set -euo pipefail
[[- template "common/vault.mkpgrole.sh" merge .bounca . ]]

1
prep.d/10-mv-conf.sh
View File

@ -1 +0,0 @@
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "bounca" .instance) ]]

14
prep.d/10-rand-pwd.sh
View File

@ -2,16 +2,4 @@
set -euo pipefail set -euo pipefail
# Initialize random passwords if needed [[ template "common/vault.rand_secrets" merge .bounca . ]]
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
django_secret=$(pwgen -s -n 50 1)
fi
for PWD in django_secret; do
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
${PWD}=$(pwgen -s -n 50 1)
fi
done

12
variables.yml
View File

@ -8,20 +8,24 @@ bounca:
# The image to use # The image to use
image: danielberteaud/bounca:latest image: danielberteaud/bounca:latest
# Vault policies to use
vault: vault:
# Vault policies to use
policies: policies:
- '[[ .instance ]][[ .consul.suffix ]]' - '[[ .instance ]][[ .consul.suffix ]]'
# Random secrets to generate
rand_secrets:
fields:
- django_secret
postgres: postgres:
database: '[[ .instance ]]' database: '[[ .instance ]]'
user: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' user: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
password: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' password: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
# Env variable to pass to the container # Env variable to pass to the container
env: env:
BOUNCA_DB_NAME: '[[ .bounca.postgres.database ]]' BOUNCA_DB_NAME: '[[ .bounca.postgres.database ]]'
BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.prefix ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}' BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.root ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}'
# Public URL where user can reach the app # Public URL where user can reach the app
public_url: https://pki.example.org public_url: https://pki.example.org

4
vault/policies/bounca.hcl
View File

@ -1,7 +1,7 @@
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
capabilities = ["read"] capabilities = ["read"]
} }
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" { path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
capabilities = ["read"] capabilities = ["read"]
} }