Update for vault cleanup
This commit is contained in:
parent
9d8cff3214
commit
8df5891d54
|
@ -49,18 +49,16 @@ job "bounca" {
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.bounca-public.entrypoints=https",
|
"traefik.http.routers.bounca-public.entrypoints=https",
|
||||||
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
"traefik.http.middlewares.csp-bounca-public.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
|
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca-public",
|
||||||
"traefik.http.routers.bounca-public.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
|
|
||||||
|
|
||||||
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)",
|
"traefik.http.routers.bounca-public.rule=Host(`pki.example.org`) && PathPrefix(`/public`)",
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
|
|
||||||
"traefik.http.routers.bounca.entrypoints=https",
|
"traefik.http.routers.bounca.entrypoints=https",
|
||||||
"traefik.http.middlewares.bounca-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
"traefik.http.routers.bounca.rule=Host(`pki.example.org`)",
|
||||||
"traefik.http.middlewares.bounca-proxy.headers.customrequestheaders.X-Forwarded-Proto=https",
|
"traefik.http.middlewares.csp-bounca.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,bounca-proxy,inflight-std@file,hsts@file,compression@file,bounca-csp",
|
"traefik.http.routers.bounca.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-bounca",
|
||||||
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
@ -135,7 +133,7 @@ job "bounca" {
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
BOUNCA_DB_NAME=bounca
|
BOUNCA_DB_NAME=bounca
|
||||||
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
||||||
LANG=fr_FR.utf8
|
LANG=fr_FR.utf8
|
||||||
TZ=Europe/Paris
|
TZ=Europe/Paris
|
||||||
_EOT
|
_EOT
|
||||||
|
@ -191,8 +189,8 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
BOUNCA_DB_USER={{ with secret "/database/creds/bounca" }}{{ .Data.username }}{{ end }}
|
BOUNCA_DB_USER={{ with secret "//database/creds/bounca" }}{{ .Data.username }}{{ end }}
|
||||||
BOUNCA_DB_PASSWORD={{ with secret "/database/creds/bounca" }}{{ .Data.password }}{{ end }}
|
BOUNCA_DB_PASSWORD={{ with secret "//database/creds/bounca" }}{{ .Data.password }}{{ end }}
|
||||||
BOUNCA_DB_PORT=5432
|
BOUNCA_DB_PORT=5432
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.db.env"
|
destination = "secrets/.db.env"
|
||||||
|
@ -246,7 +244,7 @@ _EOT
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
BOUNCA_DB_NAME=bounca
|
BOUNCA_DB_NAME=bounca
|
||||||
BOUNCA_DJANGO_SECRET={{ with secret "/kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
BOUNCA_DJANGO_SECRET={{ with secret "//kv/service/bounca" }}{{ .Data.data.django_secret }}{{ end }}
|
||||||
LANG=fr_FR.utf8
|
LANG=fr_FR.utf8
|
||||||
TZ=Europe/Paris
|
TZ=Europe/Paris
|
||||||
_EOT
|
_EOT
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefailvault write /database/roles/bounca \
|
||||||
|
|
||||||
vault write database/roles/bounca \
|
|
||||||
db_name="postgres" \
|
db_name="postgres" \
|
||||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||||
GRANT \"bounca\" TO \"{{name}}\"; \
|
GRANT \"bounca\" TO \"{{name}}\"; \
|
|
@ -1,19 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ "bounca" != "bounca" ]; then
|
|
||||||
for DIR in vault consul nomad; do
|
|
||||||
if [ -d output/${DIR} ]; then
|
|
||||||
for FILE in $(find output/${DIR} -name "*bounca*.hcl" -type f); do
|
|
||||||
NEW_FILE=$(echo "${FILE}" | sed -E "s/bounca/bounca/g")
|
|
||||||
mv "${FILE}" "${NEW_FILE}"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -2,16 +2,21 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
# Initialize random passwords if needed
|
# vim: syntax=sh
|
||||||
|
|
||||||
|
export LC_ALL=C
|
||||||
|
VAULT_KV_PATH=/kv/service/bounca
|
||||||
|
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||||
|
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||||
|
vault kv put ${VAULT_KV_PATH} \
|
||||||
|
django_secret="$(sh -c "${RAND_CMD}")" \
|
||||||
|
|
||||||
if ! vault kv list kv/service 2>/dev/null | grep -q -E '^bounca$'; then
|
|
||||||
vault kv put kv/service/bounca \
|
|
||||||
django_secret=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
fi
|
||||||
|
for SECRET in django_secret; do
|
||||||
for PWD in django_secret; do
|
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||||
if ! vault kv get -field ${PWD} kv/service/bounca >/dev/null 2>&1; then
|
vault kv patch ${VAULT_KV_PATH} \
|
||||||
vault kv patch kv/service/bounca \
|
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
path "kv/data/service/bounca" {
|
path "/kv/data/service/bounca" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "database/creds/bounca" {
|
path "/database/creds/bounca" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
[[- template "common/vault.mkpgrole.sh.tpl"
|
|
||||||
dict "ctx" .
|
|
||||||
"config" (dict "role" .instance "database" "postgres")
|
|
||||||
]]
|
|
5
init/vault-database
Executable file
5
init/vault-database
Executable file
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
[[- template "common/vault.mkpgrole.sh" merge .bounca . ]]
|
|
@ -1 +0,0 @@
|
||||||
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "bounca" .instance) ]]
|
|
|
@ -2,16 +2,4 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
# Initialize random passwords if needed
|
[[ template "common/vault.rand_secrets" merge .bounca . ]]
|
||||||
|
|
||||||
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
|
|
||||||
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
|
||||||
django_secret=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
|
|
||||||
for PWD in django_secret; do
|
|
||||||
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
|
|
||||||
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
|
@ -8,20 +8,24 @@ bounca:
|
||||||
# The image to use
|
# The image to use
|
||||||
image: danielberteaud/bounca:latest
|
image: danielberteaud/bounca:latest
|
||||||
|
|
||||||
# Vault policies to use
|
|
||||||
vault:
|
vault:
|
||||||
|
# Vault policies to use
|
||||||
policies:
|
policies:
|
||||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
|
# Random secrets to generate
|
||||||
|
rand_secrets:
|
||||||
|
fields:
|
||||||
|
- django_secret
|
||||||
|
|
||||||
postgres:
|
postgres:
|
||||||
database: '[[ .instance ]]'
|
database: '[[ .instance ]]'
|
||||||
user: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
user: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
||||||
password: '{{ with secret "[[ .vault.prefix ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
password: '{{ with secret "[[ .vault.root ]]/database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
||||||
|
|
||||||
# Env variable to pass to the container
|
# Env variable to pass to the container
|
||||||
env:
|
env:
|
||||||
BOUNCA_DB_NAME: '[[ .bounca.postgres.database ]]'
|
BOUNCA_DB_NAME: '[[ .bounca.postgres.database ]]'
|
||||||
BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.prefix ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}'
|
BOUNCA_DJANGO_SECRET: '{{ with secret "[[ .vault.root ]]/kv/service/[[ .instance ]]" }}{{ .Data.data.django_secret }}{{ end }}'
|
||||||
|
|
||||||
# Public URL where user can reach the app
|
# Public URL where user can reach the app
|
||||||
public_url: https://pki.example.org
|
public_url: https://pki.example.org
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user