From 4f6829a4d0744c9b3333f3fd35abc825d8f302f2 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 31 Jan 2024 10:53:15 +0100 Subject: [PATCH] Adapt to new vault common templates --- example/init/vault-vaultwarden | 2 +- example/vault/policies/vaultwarden.hcl | 4 ++-- example/vaultwarden.nomad.hcl | 2 +- variables.yml | 4 ++-- vault/policies/vaultwarden.hcl | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/example/init/vault-vaultwarden b/example/init/vault-vaultwarden index b9f5171..ccb68dd 100755 --- a/example/init/vault-vaultwarden +++ b/example/init/vault-vaultwarden @@ -2,7 +2,7 @@ set -euo pipefail -vault write database/roles/vaultwarden \ +vault write /database/roles/vaultwarden \ db_name="postgres" \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT \"vaultwarden\" TO \"{{name}}\"; \ diff --git a/example/vault/policies/vaultwarden.hcl b/example/vault/policies/vaultwarden.hcl index 081dd6e..91f8eb3 100644 --- a/example/vault/policies/vaultwarden.hcl +++ b/example/vault/policies/vaultwarden.hcl @@ -1,7 +1,7 @@ -path "kv/data/service/vaultwarden" { +path "/kv/data/service/vaultwarden" { capabilities = ["read"] } -path "database/creds/vaultwarden" { +path "/database/creds/vaultwarden" { capabilities = ["read"] } diff --git a/example/vaultwarden.nomad.hcl b/example/vaultwarden.nomad.hcl index 34e21bd..2e19b6a 100644 --- a/example/vaultwarden.nomad.hcl +++ b/example/vaultwarden.nomad.hcl @@ -153,7 +153,7 @@ job "vaultwarden" { template { data = <<_EOT -DATABASE_URL=postgresql://{{ with secret "database/creds/vaultwarden" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/vaultwarden" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/vaultwarden] +DATABASE_URL=postgresql://{{ with secret "/database/creds/vaultwarden" }}{{ .Data.username }}{{ end }}:{{ with secret "/database/creds/vaultwarden" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/vaultwarden] _EOT destination = "secrets/.db.env" perms = 400 diff --git a/variables.yml b/variables.yml index ccb99ce..c97293b 100644 --- a/variables.yml +++ b/variables.yml @@ -31,8 +31,8 @@ vaultwarden: # Postgres settings postgres: database: '[[ .instance ]]' - user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' - password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' + user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}' + password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}' pooler: mode: session diff --git a/vault/policies/vaultwarden.hcl b/vault/policies/vaultwarden.hcl index 4ec71e1..4b45679 100644 --- a/vault/policies/vaultwarden.hcl +++ b/vault/policies/vaultwarden.hcl @@ -1,7 +1,7 @@ -path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { +path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" { capabilities = ["read"] } -path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" { +path "[[ .vault.root ]]database/creds/[[ .instance ]]" { capabilities = ["read"] }