From fd2798d182e709de0f75ba624c1db74891ff842d Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 31 Jan 2024 13:52:57 +0100 Subject: [PATCH] Cleanup --- example/init/vault-database | 2 +- example/lemonldap-ng.nomad.hcl | 6 +++--- example/prep.d/10-mv-conf.sh | 19 ------------------- example/vault/policies/lemonldap-ng.hcl | 4 ++-- init/vault-database | 5 +---- prep.d/10-mv-conf.sh | 1 - variables.yml | 8 ++++---- vault/policies/lemonldap-ng.hcl | 4 ++-- 8 files changed, 13 insertions(+), 36 deletions(-) delete mode 100755 example/prep.d/10-mv-conf.sh delete mode 100755 prep.d/10-mv-conf.sh diff --git a/example/init/vault-database b/example/init/vault-database index 0e9dc76..21d1a10 100755 --- a/example/init/vault-database +++ b/example/init/vault-database @@ -2,7 +2,7 @@ set -euo pipefail -vault write database/roles/lemonldap-ng \ +vault write /database/roles/lemonldap-ng \ db_name="postgres" \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT \"lemonldap-ng\" TO \"{{name}}\"; \ diff --git a/example/lemonldap-ng.nomad.hcl b/example/lemonldap-ng.nomad.hcl index da431b0..db21998 100644 --- a/example/lemonldap-ng.nomad.hcl +++ b/example/lemonldap-ng.nomad.hcl @@ -58,8 +58,8 @@ job "lemonldap-ng" { "traefik.enable=true", - "traefik.http.routers.lemonldap-ng-manager.rule=Host(`manager.example.org`)", "traefik.http.routers.lemonldap-ng-manager.entrypoints=https", + "traefik.http.routers.lemonldap-ng-manager.rule=Host(`manager.example.org`)", "traefik.http.routers.lemonldap-ng-manager.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file", @@ -274,8 +274,8 @@ PGHOST=127.0.0.1 PGDATABASE=lemonldap-ng PGSSLMODE=disable PGPORT=5432 -PGUSER={{ with secret "database/creds/lemonldap-ng" }}{{ .Data.username }}{{ end }} -PGPASSWORD={{ with secret "database/creds/lemonldap-ng" }}{{ .Data.password }}{{ end }} +PGUSER={{ with secret "/database/creds/lemonldap-ng" }}{{ .Data.username }}{{ end }} +PGPASSWORD={{ with secret "/database/creds/lemonldap-ng" }}{{ .Data.password }}{{ end }} _EOT destination = "secrets/.db.env" uid = 100000 diff --git a/example/prep.d/10-mv-conf.sh b/example/prep.d/10-mv-conf.sh deleted file mode 100755 index 4fbe27b..0000000 --- a/example/prep.d/10-mv-conf.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -set -eu - - - -if [ "lemonldap-ng" != "lemonldap-ng" ]; then - for DIR in vault consul nomad; do - if [ -d output/${DIR} ]; then - for FILE in $(find output/${DIR} -name "*lemonldap-ng*.hcl" -type f); do - NEW_FILE=$(echo "${FILE}" | sed -E "s/lemonldap-ng/lemonldap-ng/g") - mv "${FILE}" "${NEW_FILE}" - done - fi - done -fi - - - diff --git a/example/vault/policies/lemonldap-ng.hcl b/example/vault/policies/lemonldap-ng.hcl index b84659d..755f2e4 100644 --- a/example/vault/policies/lemonldap-ng.hcl +++ b/example/vault/policies/lemonldap-ng.hcl @@ -1,7 +1,7 @@ -path "kv/sevrice/lemonldap-ng" { +path "/kv/sevrice/lemonldap-ng" { capabilities = ["read"] } -path "database/creds/lemonldap-ng" { +path "/database/creds/lemonldap-ng" { capabilities = ["read"] } diff --git a/init/vault-database b/init/vault-database index a44f309..59553c6 100755 --- a/init/vault-database +++ b/init/vault-database @@ -2,7 +2,4 @@ set -euo pipefail -[[- template "common/vault.mkpgrole.sh" - dict "ctx" . - "config" (dict "role" .instance "database" "postgres") -]] +[[ template "common/vault.mkpgrole.sh" merge .llng.engine . ]] diff --git a/prep.d/10-mv-conf.sh b/prep.d/10-mv-conf.sh deleted file mode 100755 index 73a6903..0000000 --- a/prep.d/10-mv-conf.sh +++ /dev/null @@ -1 +0,0 @@ -[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "lemonldap-ng" .instance) ]] diff --git a/variables.yml b/variables.yml index ddd3430..8225889 100644 --- a/variables.yml +++ b/variables.yml @@ -42,8 +42,8 @@ llng: # Database settings postgres: database: '[[ .instance ]]' - user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' - password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' + user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' + password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' # Additional env vars to pass to the container env: @@ -123,7 +123,7 @@ llng: # Disable default CSP as Lemonldap::NG handle CSP itself csp: false - router: '[[ .instance ]]-manager[[ .consul.suffix ]]' + router: manager # The API is exposed by the portal, but usually must be secured differently # The following settings only apply to the REST/SOAP API @@ -141,5 +141,5 @@ llng: compression: false auto_rule: false - router: '[[ .instance ]]-api[[ .consul.suffix ]]' + router: api diff --git a/vault/policies/lemonldap-ng.hcl b/vault/policies/lemonldap-ng.hcl index 67c1f8a..416b9d2 100644 --- a/vault/policies/lemonldap-ng.hcl +++ b/vault/policies/lemonldap-ng.hcl @@ -1,7 +1,7 @@ -path "[[ .vault.prefix ]]kv/sevrice/[[ .instance ]]" { +path "[[ .vault.root ]]kv/sevrice/[[ .instance ]]" { capabilities = ["read"] } -path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" { +path "[[ .vault.root ]]database/creds/[[ .instance ]]" { capabilities = ["read"] }