From a92ecda6cebee787b8513199e09d688a03a3e67c Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Wed, 31 Jan 2024 16:20:00 +0100
Subject: [PATCH] Cleanups

---
 consul/policies/traefik.hcl           |  4 ++--
 example/prep.d/rename_policies.sh     | 19 -------------------
 example/traefik.nomad.hcl             | 22 +++++++++++-----------
 example/vault/policies/traefik.hcl    | 10 +++++-----
 prep.d/rename_policies.sh             |  1 -
 templates/config/basicauth.yml.tpl    |  6 +++---
 templates/config/certificates.yml.tpl |  6 +++---
 templates/config/proxy.yml.tpl        |  2 +-
 vault/policies/traefik.hcl            | 10 +++++-----
 9 files changed, 30 insertions(+), 50 deletions(-)
 delete mode 100755 example/prep.d/rename_policies.sh
 delete mode 100755 prep.d/rename_policies.sh

diff --git a/consul/policies/traefik.hcl b/consul/policies/traefik.hcl
index 6790815..783bfb1 100644
--- a/consul/policies/traefik.hcl
+++ b/consul/policies/traefik.hcl
@@ -1,8 +1,8 @@
-key_prefix "service/[[ .instance ]]" {
+key_prefix "[[ .consul.kv.root ]]service/[[ .instance ]]" {
   policy = "read"
 }
 
-key_prefix "common/ip" {
+key_prefix "[[ .consul.kv.root ]]common/ip" {
   policy = "read"
 }
 
diff --git a/example/prep.d/rename_policies.sh b/example/prep.d/rename_policies.sh
deleted file mode 100755
index da8f421..0000000
--- a/example/prep.d/rename_policies.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-
-
-if [ "traefik" != "traefik" ]; then
-  for DIR in vault consul nomad; do
-    if [ -d output/${DIR} ]; then
-      for FILE in $(find output/${DIR} -name "*traefik*.hcl" -type f); do
-        NEW_FILE=$(echo "${FILE}" | sed -E "s/traefik/traefik/g")
-        mv "${FILE}" "${NEW_FILE}"
-      done
-    fi
-  done
-fi
-
-
-
diff --git a/example/traefik.nomad.hcl b/example/traefik.nomad.hcl
index 943f09e..b618dce 100644
--- a/example/traefik.nomad.hcl
+++ b/example/traefik.nomad.hcl
@@ -76,10 +76,10 @@ job "traefik" {
 
         "traefik.enable=true",
         "traefik.http.routers.traefik-api.entrypoints=https",
-        "traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
+        "traefik.http.middlewares.csp-traefik-api.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
         "traefik.http.middlewares.traefik-path.replacepathregex.regex=^/dashboard/(.*)",
         "traefik.http.middlewares.traefik-path.replacepathregex.replacement=/dashboard/$${1}",
-        "traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,traefik-csp",
+        "traefik.http.routers.traefik-api.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,traefik-path,inflight-std@file,hsts@file,compression@file,csp-traefik-api",
 
         "traefik.http.routers.traefik-ping.rule=(Host(`traefik.example.org`) || HostRegexp(`(.+\\.)?traefik.service.consul`)) && Path(`/ping`) && Method(`GET`)",
         "traefik.http.routers.traefik-ping.service=ping@internal",
@@ -87,8 +87,8 @@ job "traefik" {
         "traefik.enable=true",
         "traefik.http.routers.traefik-ping.entrypoints=http,https",
         "traefik.http.routers.traefik-ping.priority=2000",
-        "traefik.http.middlewares.traefik-csp.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
-        "traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,traefik-csp",
+        "traefik.http.middlewares.csp-traefik-ping.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
+        "traefik.http.routers.traefik-ping.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-traefik-ping",
 
 
         "traefik-${NOMAD_ALLOC_INDEX}"
@@ -177,16 +177,16 @@ _EOF
         data        = <<_EOF
 ---
 
-{{ if gt (len (secrets "kv/service/traefik/basicauth/")) 0 }}
+{{ if gt (len (secrets "/kv/service/traefik/basicauth/")) 0 }}
 http:
   middlewares:
-  {{- range secrets "kv/service/traefik/basicauth/" }}
+  {{- range secrets "/kv/service/traefik/basicauth/" }}
     basicauth-{{ . }}:
       basicAuth:
         realm: {{ . }}
         removeheader: true
         users:
-    {{- with secret (printf "kv/data/service/traefik/basicauth/%s" .) }}
+    {{- with secret (printf "/kv/data/service/traefik/basicauth/%s" .) }}
       {{- range $k, $v := .Data.data }}
           - {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
       {{- end }}
@@ -223,12 +223,12 @@ _EOF
         data        = <<_EOF
 ---
 
-{{- if ne 0 (len (secrets "kv/service/traefik/certs/")) }}
+{{- if ne 0 (len (secrets "/kv/service/traefik/certs/")) }}
 tls:
   certificates:
-{{- range secrets "kv/service/traefik/certs/" }}
+{{- range secrets "/kv/service/traefik/certs/" }}
 {{- $cn := . }}
-{{- with secret (printf "kv/service/traefik/certs/%s" $cn) }}
+{{- with secret (printf "/kv/service/traefik/certs/%s" $cn) }}
     # {{ $cn }}
     - certFile: |-
 {{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
@@ -418,7 +418,7 @@ http:
     forward-proto:
       headers:
         customRequestHeaders:
-          X-Fowarded-Proto: https
+          X-Forwarded-Proto: https
 
 _EOF
         destination = "secrets/config/proxy.yml"
diff --git a/example/vault/policies/traefik.hcl b/example/vault/policies/traefik.hcl
index ea3116a..bb58e81 100644
--- a/example/vault/policies/traefik.hcl
+++ b/example/vault/policies/traefik.hcl
@@ -1,16 +1,16 @@
 # Get a consul token
-path "consul/creds/traefik" {
+path "/consul/creds/traefik" {
   capabilities = ["read"]
 }
 # Read traefik specific settings
-path "kv/data/service/traefik" {
+path "/kv/data/service/traefik" {
   capabilities = ["read", "list"]
 }
 
-# LIst and read traefik basic auth &cie
-path "kv/metadata/service/traefik/*" {
+# List and read traefik basic auth &cie
+path "/kv/metadata/service/traefik/*" {
   capabilities = ["list","read"]
 }
-path "kv/data/service/traefik/*" {
+path "/kv/data/service/traefik/*" {
   capabilities = ["read"]
 }
diff --git a/prep.d/rename_policies.sh b/prep.d/rename_policies.sh
deleted file mode 100755
index db74afe..0000000
--- a/prep.d/rename_policies.sh
+++ /dev/null
@@ -1 +0,0 @@
-[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "traefik" .instance) ]]
diff --git a/templates/config/basicauth.yml.tpl b/templates/config/basicauth.yml.tpl
index ebae303..20f56e4 100644
--- a/templates/config/basicauth.yml.tpl
+++ b/templates/config/basicauth.yml.tpl
@@ -1,15 +1,15 @@
 ---
 
-{{ if gt (len (secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/")) 0 }}
+{{ if gt (len (secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/")) 0 }}
 http:
   middlewares:
-  {{- range secrets "[[ .vault.prefix ]]kv/service/traefik/basicauth/" }}
+  {{- range secrets "[[ .vault.root ]]kv/service/[[ .instance ]]/basicauth/" }}
     basicauth-{{ . }}:
       basicAuth:
         realm: {{ . }}
         removeheader: true
         users:
-    {{- with secret (printf "[[ .vault.prefix ]]kv/data/service/traefik/basicauth/%s" .) }}
+    {{- with secret (printf "[[ .vault.root ]]kv/data/service/[[ .instance ]]/basicauth/%s" .) }}
       {{- range $k, $v := .Data.data }}
           - {{ $k }}:{{ if $v | regexMatch "^\\$2y\\$" }}{{ $v }}{{ else }}{{ sprig_bcrypt $v }}{{ end }}
       {{- end }}
diff --git a/templates/config/certificates.yml.tpl b/templates/config/certificates.yml.tpl
index f2e26c5..b91e29b 100644
--- a/templates/config/certificates.yml.tpl
+++ b/templates/config/certificates.yml.tpl
@@ -1,11 +1,11 @@
 ---
 
-{{- if ne 0 (len (secrets "[[ .vault.prefix ]]kv/service/traefik/certs/")) }}
+{{- if ne 0 (len (secrets "[[ .vault.root ]]kv/service/traefik/certs/")) }}
 tls:
   certificates:
-{{- range secrets "[[ .vault.prefix ]]kv/service/traefik/certs/" }}
+{{- range secrets "[[ .vault.root ]]kv/service/traefik/certs/" }}
 {{- $cn := . }}
-{{- with secret (printf "[[ .vault.prefix ]]kv/service/traefik/certs/%s" $cn) }}
+{{- with secret (printf "[[ .vault.root ]]kv/service/traefik/certs/%s" $cn) }}
     # {{ $cn }}
     - certFile: |-
 {{ .Data.data.cert | replaceAll "\n\n" "\n" | indent 8 }}
diff --git a/templates/config/proxy.yml.tpl b/templates/config/proxy.yml.tpl
index eb14839..04c6cce 100644
--- a/templates/config/proxy.yml.tpl
+++ b/templates/config/proxy.yml.tpl
@@ -5,4 +5,4 @@ http:
     forward-proto:
       headers:
         customRequestHeaders:
-          X-Fowarded-Proto: https
+          X-Forwarded-Proto: https
diff --git a/vault/policies/traefik.hcl b/vault/policies/traefik.hcl
index 357d2a9..394cc2d 100644
--- a/vault/policies/traefik.hcl
+++ b/vault/policies/traefik.hcl
@@ -1,16 +1,16 @@
 # Get a consul token
-path "consul/creds/traefik" {
+path "[[ .vault.root ]]consul/creds/[[ .instance ]]" {
   capabilities = ["read"]
 }
 # Read traefik specific settings
-path "[[ .vault.prefix ]]kv/data/service/traefik" {
+path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
   capabilities = ["read", "list"]
 }
 
-# LIst and read traefik basic auth &cie
-path "[[ .vault.prefix ]]kv/metadata/service/traefik/*" {
+# List and read traefik basic auth &cie
+path "[[ .vault.root ]]kv/metadata/service/[[ .instance ]]/*" {
   capabilities = ["list","read"]
 }
-path "[[ .vault.prefix ]]kv/data/service/traefik/*" {
+path "[[ .vault.root ]]kv/data/service/[[ .instance ]]/*" {
   capabilities = ["read"]
 }