From e16c19a21fa14d7a8daa5b7a3a8b7bd11d88c2f8 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 31 Jan 2024 14:06:09 +0100 Subject: [PATCH] Cleanup --- example/init/vault-database | 14 +++++++------- example/manage.nomad.hcl | 23 ++++++++++++++++++++--- example/mariadb.nomad.hcl | 25 ++++++++++++++++++++++--- example/prep.d/10-rand-pwd.sh | 25 ++++++++++++++++--------- example/prep.d/mv_conf.sh | 19 ------------------- example/vault/policies/mariadb.hcl | 2 +- init/vault-database | 14 +++++++------- manage.nomad.hcl | 27 +++++++++++++-------------- mariadb.nomad.hcl | 24 +++++++++--------------- prep.d/10-rand-pwd.sh | 13 +------------ prep.d/mv_conf.sh | 1 - variables.yml | 7 +++++-- vault/policies/mariadb.hcl | 2 +- 13 files changed, 102 insertions(+), 94 deletions(-) delete mode 100755 example/prep.d/mv_conf.sh delete mode 100755 prep.d/mv_conf.sh diff --git a/example/init/vault-database b/example/init/vault-database index 59a38cb..963a123 100755 --- a/example/init/vault-database +++ b/example/init/vault-database @@ -2,22 +2,22 @@ set -euo pipefail -if [ "$(vault secrets list -format json | jq -r '.["database/"].type')" != "database" ]; then - vault secrets enable -path database database +if [ "$(vault secrets list -format json | jq -r '.["/database/"].type')" != "database" ]; then + vault secrets enable -path /database database fi -if [ "$(vault list -format json database/config | jq '.[] | test("^mariadb$")')" = "false" ]; then - vault write database/config/mariadb \ +if [ "$(vault list -format json /database/config | jq '.[] | test("^mariadb$")')" = "false" ]; then + vault write /database/config/mariadb \ plugin_name="mysql-database-plugin" \ connection_url="{{username}}:{{password}}@tcp(mariadb.example.org:3306)/" \ allowed_roles="*" \ username=vault \ - password="$(vault kv get -field vault_initial_pwd kv/service/mariadb)" \ + password="$(vault kv get -field vault_initial_pwd /kv/service/mariadb)" \ disable_escaping=true - vault write -force database/rotate-root/mariadb + vault write -force /database/rotate-root/mariadb fi -vault write database/roles/mariadb-admin \ +vault write /database/roles/mariadb-admin \ db_name="mariadb" \ creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \ GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \ diff --git a/example/manage.nomad.hcl b/example/manage.nomad.hcl index 87c4562..70bf2bc 100644 --- a/example/manage.nomad.hcl +++ b/example/manage.nomad.hcl @@ -26,6 +26,18 @@ job "mariadb-manage" { } } sidecar_task { + config { + args = [ + "-c", + "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json", + "-l", + "${meta.connect.log_level}", + "--concurrency", + "${meta.connect.proxy_concurrency}", + "--disable-hot-restart" + ] + } + resources { cpu = 50 memory = 64 @@ -78,10 +90,14 @@ job "mariadb-manage" { ] } + vault { - policies = ["mariadb"] + policies = ["mariadb"] + env = false + disable_file = true } + env { LANG = "fr_FR.utf8" @@ -163,7 +179,7 @@ _EOT [client] host = 127.0.0.1 user = root -password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/my.cnf" uid = 100100 @@ -173,7 +189,7 @@ _EOT template { data = <<_EOT -{{ with secret "kv/service/mariadb" }} +{{ with secret "/kv/service/mariadb" }} VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }} BACKUP_PASSWORD={{ .Data.data.backup_pwd }} {{ end }} @@ -185,6 +201,7 @@ _EOT env = true } + resources { cpu = 20 memory = 64 diff --git a/example/mariadb.nomad.hcl b/example/mariadb.nomad.hcl index a500566..e130e59 100644 --- a/example/mariadb.nomad.hcl +++ b/example/mariadb.nomad.hcl @@ -1,4 +1,5 @@ job "mariadb" { + datacenters = ["dc1"] @@ -27,6 +28,18 @@ job "mariadb" { disable_default_tcp_check = true } sidecar_task { + config { + args = [ + "-c", + "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json", + "-l", + "${meta.connect.log_level}", + "--concurrency", + "${meta.connect.proxy_concurrency}", + "--disable-hot-restart" + ] + } + resources { cpu = 50 memory = 64 @@ -47,6 +60,11 @@ job "mariadb" { timeout = "10s" interval = "5s" } + + tags = [ + + + ] } # Run mysql_upgrade @@ -76,7 +94,7 @@ job "mariadb" { [client] user = root host = 127.0.0.1 -password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/.my.cnf" uid = 100100 @@ -156,7 +174,7 @@ _EOT template { data = <<_EOT -{{ with secret "kv/service/mariadb" }} +{{ with secret "/kv/service/mariadb" }} MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }} {{ end }} _EOT @@ -171,7 +189,7 @@ _EOT data = <<_EOT [client] user = root -password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "/kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/my.conf" uid = 100100 @@ -184,6 +202,7 @@ _EOT destination = "/data" } + resources { cpu = 1000 memory = 512 diff --git a/example/prep.d/10-rand-pwd.sh b/example/prep.d/10-rand-pwd.sh index 7cac0c3..6a049ff 100755 --- a/example/prep.d/10-rand-pwd.sh +++ b/example/prep.d/10-rand-pwd.sh @@ -2,15 +2,22 @@ set -euo pipefail -if ! vault kv list kv/service 2>/dev/null | grep -q -E '^mariadb$'; then - vault kv put kv/service/mariadb \ - root_pwd=$(pwgen -s -n 50 1) \ - vault_initial_pwd=$(pwgen -s -n 50 1) -fi +# vim: syntax=sh -for PWD in root_pwd vault_initial_pwd; do - if ! vault kv get -field ${PWD} kv/service/mariadb >/dev/null 2>&1; then - vault kv patch kv/service/mariadb \ - ${PWD}=$(pwgen -s -n 50 1) +export LC_ALL=C +VAULT_KV_PATH=/kv/service/mariadb +RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50" +if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then + vault kv put ${VAULT_KV_PATH} \ + vault_initial_pwd="$(sh -c "${RAND_CMD}")" \ + root_pwd="$(sh -c "${RAND_CMD}")" \ + +fi +for SECRET in vault_initial_pwd root_pwd; do + if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then + vault kv patch ${VAULT_KV_PATH} \ + ${SECRET}=$(sh -c "${RAND_CMD}") fi done + + diff --git a/example/prep.d/mv_conf.sh b/example/prep.d/mv_conf.sh deleted file mode 100755 index ad767d1..0000000 --- a/example/prep.d/mv_conf.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -set -eu - - - -if [ "mariadb" != "mariadb" ]; then - for DIR in vault consul nomad; do - if [ -d output/${DIR} ]; then - for FILE in $(find output/${DIR} -name "*mariadb*.hcl" -type f); do - NEW_FILE=$(echo "${FILE}" | sed -E "s/mariadb/mariadb/g") - mv "${FILE}" "${NEW_FILE}" - done - fi - done -fi - - - diff --git a/example/vault/policies/mariadb.hcl b/example/vault/policies/mariadb.hcl index 349544e..4380cee 100644 --- a/example/vault/policies/mariadb.hcl +++ b/example/vault/policies/mariadb.hcl @@ -1,3 +1,3 @@ -path "kv/data/service/mariadb" { +path "/kv/data/service/mariadb" { capabilities = ["read"] } diff --git a/init/vault-database b/init/vault-database index cb13650..7572389 100755 --- a/init/vault-database +++ b/init/vault-database @@ -2,22 +2,22 @@ set -euo pipefail -if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.prefix ]]database/"].type')" != "database" ]; then - vault secrets enable -path [[ .vault.prefix ]]database database +if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.root ]]database/"].type')" != "database" ]; then + vault secrets enable -path [[ .vault.root ]]database database fi -if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then - vault write [[ .vault.prefix ]]database/config/[[ .instance ]] \ +if [ "$(vault list -format json [[ .vault.root ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" = "false" ]; then + vault write [[ .vault.root ]]database/config/[[ .instance ]] \ plugin_name="mysql-database-plugin" \ connection_url="{{username}}:{{password}}@tcp([[ (urlParse .mariadb.server.public_address).Host ]])/" \ allowed_roles="*" \ username=vault \ - password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .instance ]])" \ + password="$(vault kv get -field vault_initial_pwd [[ .vault.root ]]kv/service/[[ .instance ]])" \ disable_escaping=true - vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .instance ]] + vault write -force [[ .vault.root ]]database/rotate-root/[[ .instance ]] fi -vault write [[ .vault.prefix ]]database/roles/mariadb-admin \ +vault write [[ .vault.root ]]database/roles/mariadb-admin \ db_name="mariadb" \ creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; \ GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%' WITH GRANT OPTION; \ diff --git a/manage.nomad.hcl b/manage.nomad.hcl index 01dfec2..567706d 100644 --- a/manage.nomad.hcl +++ b/manage.nomad.hcl @@ -1,7 +1,8 @@ -[[ $c := merge .mariadb.manage . -]] job "[[ .instance ]]-manage" { type = "batch" -[[ template "common/job_start.tpl" $c ]] + +[[- $c := merge .mariadb.manage . ]] +[[ template "common/job_start" $c ]] meta { # Force job to run each time @@ -14,17 +15,17 @@ job "[[ .instance ]]-manage" { } service { - name = "[[ .instance ]]-manage[[ $c.consul.suffix ]]" -[[ template "common/connect.tpl" $c ]] + name = "[[ .instance ]]-manage[[ .consul.suffix ]]" +[[ template "common/connect" $c ]] } -[[ template "common/task.wait_for.tpl" $c ]] +[[ template "common/task.wait_for" $c ]] task "manage" { - driver = [[ $c.nomad.driver | toJSON ]] + driver = "[[ $c.nomad.driver ]]" config { - image = [[ .mariadb.manage.image | toJSON ]] + image = "[[ .mariadb.manage.image ]]" pids_limit = 50 readonly_rootfs = true command = "/local/manage.sh" @@ -33,12 +34,10 @@ job "[[ .instance ]]-manage" { ] } - vault { - policies = ["[[ .instance ]][[ $c.consul.suffix ]]"] - } +[[ template "common/vault.policies" merge .mariadb . ]] env { -[[ template "common/env.tpl" $c.env ]] +[[ template "common/env" $c.env ]] } template { @@ -97,7 +96,7 @@ _EOT [client] host = 127.0.0.1 user = root -password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/my.cnf" uid = 100100 @@ -107,7 +106,7 @@ _EOT template { data = <<_EOT -{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }} +{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }} VAULT_INITIAL_PASSWORD={{ .Data.data.vault_initial_pwd }} BACKUP_PASSWORD={{ .Data.data.backup_pwd }} {{ end }} @@ -119,7 +118,7 @@ _EOT env = true } -[[ template "common/resources.tpl" .mariadb.manage.resources ]] +[[ template "common/resources" $c ]] } } } diff --git a/mariadb.nomad.hcl b/mariadb.nomad.hcl index ac27a81..4c566a3 100644 --- a/mariadb.nomad.hcl +++ b/mariadb.nomad.hcl @@ -1,7 +1,6 @@ job "[[ .instance ]]" { -[[- $c := merge .mariadb.server .mariadb . -]] - +[[- $c := merge .mariadb.server .mariadb . ]] [[ template "common/job_start" $c ]] group "server" { @@ -13,7 +12,7 @@ job "[[ .instance ]]" { [[ template "common/volumes" $c ]] service { - name = "[[ .instance ]][[ $c.consul.suffix ]]" + name = "[[ .instance ]][[ .consul.suffix ]]" port = 3306 [[ template "common/connect" $c ]] @@ -30,14 +29,9 @@ job "[[ .instance ]]" { interval = "5s" } -[[- if $c.traefik.enabled ]] tags = [ - "[[ $c.traefik.instance ]].enable=true", - "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=HostSNI(`*`)", - "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", - "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]" +[[ template "common/traefik_tags" $c ]] ] -[[- end ]] } # Run mysql_upgrade @@ -49,9 +43,9 @@ job "[[ .instance ]]" { } config { - image = "[[ .mariadb.server.image ]]" + image = "[[ .mariadb.server.image ]]" pids_limit = 100 - command = "/local/mysql_upgrade.sh" + command = "/local/mysql_upgrade.sh" } [[ template "common/vault.policies" $c ]] @@ -61,7 +55,7 @@ job "[[ .instance ]]" { [client] user = root host = 127.0.0.1 -password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/.my.cnf" uid = 100100 @@ -114,7 +108,7 @@ _EOT template { data = <<_EOT -{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }} +{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }} MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }} {{ end }} _EOT @@ -129,7 +123,7 @@ _EOT data = <<_EOT [client] user = root -password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/my.conf" uid = 100100 @@ -186,7 +180,7 @@ _EOT [client] user = root host = 127.0.0.1 -password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} +password = {{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.root_pwd }}{{ end }} _EOT destination = "secrets/.my.cnf" uid = 100000 diff --git a/prep.d/10-rand-pwd.sh b/prep.d/10-rand-pwd.sh index 3bcaa2e..fac9091 100755 --- a/prep.d/10-rand-pwd.sh +++ b/prep.d/10-rand-pwd.sh @@ -2,15 +2,4 @@ set -euo pipefail -if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then - vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \ - root_pwd=$(pwgen -s -n 50 1) \ - vault_initial_pwd=$(pwgen -s -n 50 1) -fi - -for PWD in root_pwd vault_initial_pwd; do - if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then - vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \ - ${PWD}=$(pwgen -s -n 50 1) - fi -done +[[ template "common/vault.rand_secrets" merge .mariadb . ]] diff --git a/prep.d/mv_conf.sh b/prep.d/mv_conf.sh deleted file mode 100755 index e992f59..0000000 --- a/prep.d/mv_conf.sh +++ /dev/null @@ -1 +0,0 @@ -[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "mariadb" .instance) ]] diff --git a/variables.yml b/variables.yml index c98fd31..eb8a394 100644 --- a/variables.yml +++ b/variables.yml @@ -8,6 +8,10 @@ mariadb: vault: policies: - '[[ .instance ]][[ .consul.suffix ]]' + rand_secrets: + fields: + - vault_initial_pwd + - root_pwd # MariaDB server settings server: @@ -32,11 +36,10 @@ mariadb: traefik: # Toggle if Traefik support is enabled enabled: false + proto: tcp # List of entrypoints to bind the sevrice to. This must be a dedicated TCP entrypoint entrypoints: - mariadb - # List of TCP middlewares to apply - middlewares: [] consul: connect: diff --git a/vault/policies/mariadb.hcl b/vault/policies/mariadb.hcl index b37a3c2..6320284 100644 --- a/vault/policies/mariadb.hcl +++ b/vault/policies/mariadb.hcl @@ -1,3 +1,3 @@ -path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { +path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" { capabilities = ["read"] }