Enable workload identities

2024-09-30 13:51:10 +02:00 · 2024-09-30 13:51:10 +02:00 · 979c64a991
commit 979c64a991
parent 0163ab2a60
5 changed files with 40 additions and 10 deletions
--- a/example/images/miniflux/Dockerfile
+++ b/example/images/miniflux/Dockerfile
@ -1,7 +1,7 @@
-FROM danielberteaud/alpine:24.9-1
+FROM danielberteaud/alpine:24.9-3
 LABEL maintainer="Daniel Berteaud <dbd@ehtrace.com>"

-ARG MINIFLUX_VERSION=2.2.0
+ARG MINIFLUX_VERSION=2.2.1

 ENV LISTEN_ADDR=0.0.0.0:8085 \
    RUN_MIGRATIONS=1 \
--- a/example/miniflux.nomad.hcl
+++ b/example/miniflux.nomad.hcl
@ -107,7 +107,7 @@ job "miniflux" {
      user   = 1053

      config {
-        image           = "danielberteaud/wait-for:24.8-1"
+        image           = "danielberteaud/wait-for:24.9-1"
        readonly_rootfs = true
        pids_limit      = 20
      }
@ -135,7 +135,7 @@ job "miniflux" {
      driver = "docker"

      config {
-        image           = "danielberteaud/miniflux:2.2.0-1"
+        image           = "danielberteaud/miniflux:2.2.1-1"
        readonly_rootfs = true

        pids_limit = 100
@ -143,7 +143,7 @@ job "miniflux" {


      vault {
-        policies     = ["miniflux"]
+        role         = "miniflux"
        env          = false
        disable_file = true
        change_mode  = "noop"
@ -180,8 +180,9 @@ _EOT


      resources {
-        cpu    = 50
-        memory = 192
+        cpu        = 50
+        memory     = 192
+        memory_max = 256
      }

    }
--- a/example/vault/roles/miniflux.json
+++ b/example/vault/roles/miniflux.json
@ -0,0 +1,25 @@
+{
+  "bound_audiences": [
+    "vault.io"
+  ],
+  "bound_claims": {
+    "nomad_job_id": "miniflux",
+    "nomad_namespace": "default"
+  },
+  "claim_mapping": {
+    "nomad_allocation_id": "nomad_allocation_id",
+    "nomad_job_id": "nomad_job_id",
+    "nomad_namespace": "nomad_namespace",
+    "nomad_task": "nomad_task"
+  },
+  "role_type": "jwt",
+  "token_explicit_max_ttl": 0,
+  "token_period": "1h",
+  "token_policies": [
+    "miniflux"
+  ],
+  "token_type": "service",
+  "user_claim": "/nomad_allocation_id",
+  "user_claim_json_pointer": true
+}
+
--- a/variables.yml
+++ b/variables.yml
@ -6,7 +6,7 @@ instance: miniflux
 miniflux:

  # Version of miniflux
-  version: 2.2.0
+  version: 2.2.1

  # Docker image to use
  image: '[[ .docker.repo ]]miniflux:[[ .miniflux.version ]]-1'
@ -18,6 +18,7 @@ miniflux:
  resources:
    cpu: 50
    memory: 192
+    memory_max: 256

  wait_for:
    - service: primary.postgres[[ .consul.suffix ]]
@ -29,8 +30,10 @@ miniflux:
          local_bind_port: 5432

  vault:
-    policies:
-      - '[[ .instance ]][[ .consul.suffix ]]'
+    workload_identity:
+      role:
+        token_policies:
+          - '[[ .instance ]][[ .consul.suffix ]]'

  # Additional env var to pass to the container
  env: {}
--- a/vault/roles/miniflux.json
+++ b/vault/roles/miniflux.json
@ -0,0 +1 @@
+[[ template "common/vault.jwt_role" merge .miniflux . ]]
				`@ -0,0 +1 @@`
				`[[ template "common/vault.jwt_role" merge .miniflux . ]]`