Update to 2022-09-06 18:00

2025-10-31 10:51:27 +01:00 · 2022-09-06 18:00:22 +02:00
parent ac46e06fb3
commit 382804b568
33 changed files with 311 additions and 113 deletions
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -126,3 +126,32 @@ vault_host_conf: {}
 # Merge all the conf
 vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"

+# This can be used to spawn a consul-template service which will obtain and renew client cert
+# to reach Nomad API, so the Nomad secret can be used securely
+vault_base_secrets:
+  # The vault API to query. Default is our own API
+  vault_address: "{{ vault_conf.api_addr }}"
+  # The vault token to use
+  vault_token: XXXXXXX
+  nomad:
+    enabled: False
+    # The Nomad API address
+    address: https://nomad.service.consul:4646
+    # The Nomad management token vault will use to issue tokens for users
+    token: XXXXXXX
+    pki:
+      # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
+      path: /pki/nomad
+      # The role used to issue the certificate
+      role: nomad-user
+      # The TTL of the certificate issued for vault
+      ttl: 72h
+      # The common name of the certificate
+      cn: vault
+    secret:
+      # The path where the Nomad secret engine is mounted
+      # Note: the secret must be already mounted
+      path: nomad
+vault_extra_secrets: {}
+vault_host_secrets: {}
+vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"
--- a/roles/vault/handlers/main.yml
+++ b/roles/vault/handlers/main.yml
@@ -6,3 +6,6 @@

 - name: reload vault
  service: name=vault state=reloaded
+
+- name: restart consul-template-vault
+  service: name=consul-template-vault state=restarted
--- a/roles/vault/meta/main.yml
+++ b/roles/vault/meta/main.yml
@@ -2,3 +2,4 @@

 dependencies:
  - role: mkdir
+  - role: consul_template
--- a/roles/vault/tasks/conf.yml
+++ b/roles/vault/tasks/conf.yml
@@ -22,3 +22,20 @@
 - name: Setup logrotate
  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
  tags: vault
+
+- when: vault_secrets.nomad.enabled
+  block:
+
+    - name: Deploy the consul-template conf
+      template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl
+      notify: restart consul-template-vault
+
+    - name: Deploy Nomad certificate bundle template for consul-template
+      template: src=nomad_client_bundle.json.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl
+      notify: restart consul-template-vault
+
+    - name: Deploy the update cert hook
+      template: src=update_nomad_cert.j2 dest={{ vault_root_dir }}/bin/update_nomad_cert mode=755
+      notify: restart consul-template-vault
+
+  tags: vault
--- a/roles/vault/tasks/directories.yml
+++ b/roles/vault/tasks/directories.yml
@@ -44,4 +44,5 @@
      owner: root
      group: "{{ vault_user }}"
      mode: 750
+    - dir: consul-template
  tags: vault
--- a/roles/vault/tasks/install.yml
+++ b/roles/vault/tasks/install.yml
@@ -6,6 +6,7 @@
      - tar
      - zstd
      - unzip
+      - jq
  tags: vault

 - when: vault_install_mode != 'none'
@@ -48,9 +49,16 @@
  notify: restart vault
  tags: vault

+- name: Install consul-template unit
+  template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
+  notify: restart consul-template-vault
+  when: vault_secrets.nomad.enabled
+  register: vault_secrets_nomad_unit
+  tags: vault
+
 - name: Reload systemd
  systemd: daemon_reload=True
-  when: vault_unit.changed
+  when: vault_unit.changed or (vault_secrets_nomad_unit is defined and vault_secrets_nomad_unit.changed)
  tags: vault

 - name: Install dehydrated hook
@@ -65,3 +73,4 @@
    dest: /etc/profile.d/vault.sh
    mode: 0755
  tags: vault
+
--- a/roles/vault/tasks/services.yml
+++ b/roles/vault/tasks/services.yml
@@ -4,3 +4,10 @@
  service: name=vault state=started enabled=True
  register: vault_service_started
  tags: vault
+
+- name: Handle consul-template-vault service
+  service:
+    name: consul-template-vault
+    state: "{{ vault_secrets.nomad.enabled | ternary('started', 'stopped') }}"
+    enabled: "{{ vault_secrets.nomad.enabled | ternary(True, False) }}"
+  tags: vault
--- a/roles/vault/templates/consul-template-vault.service.j2
+++ b/roles/vault/templates/consul-template-vault.service.j2
@@ -0,0 +1,20 @@
+[Unit]
+Description="HashiCorp consul-template"
+Documentation=https://github.com/hashicorp/consul-template
+Requires=network-online.target
+After=network-online.target
+After=vault.service
+ConditionFileNotEmpty={{ vault_root_dir }}/consul-template/consul-template.hcl
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/consul-template -config={{ vault_root_dir }}/consul-template/consul-template.hcl
+SuccessExitStatus=12
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=2
+
+[Install]
+WantedBy=multi-user.target
+
--- a/roles/vault/templates/consul-template.hcl.j2
+++ b/roles/vault/templates/consul-template.hcl.j2
@@ -0,0 +1,18 @@
+vault {
+  address      = "{{ vault_secrets.vault_address }}"
+  token        = "{{ vault_secrets.vault_token }}"
+  unwrap_token = false
+}
+
+{% if vault_secrets.nomad.enabled %}
+template {
+  source          = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ vault_root_dir }}/tmp/nomad_client_bundle.json"
+  perms           = 0600
+  exec {
+    command = "{{ vault_root_dir }}/bin/update_nomad_cert {{ vault_secrets.nomad.token }} {{ vault_secrets.vault_token }}"
+  }
+}
+{% endif %}
--- a/roles/vault/templates/nomad_client_bundle.json.tpl.j2
+++ b/roles/vault/templates/nomad_client_bundle.json.tpl.j2
@@ -0,0 +1,3 @@
+[[ with secret "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
+[[ .Data | toJSONPretty ]]
+[[ end ]]
--- a/roles/vault/templates/update_nomad_cert.j2
+++ b/roles/vault/templates/update_nomad_cert.j2
@@ -0,0 +1,29 @@
+#!/bin/sh
+  
+set -eo pipefail
+
+NOMAD_TOKEN=$1
+VAULT_TOKEN=$2
+
+NOMAD_CERT_BUNDLE={{ vault_root_dir }}/tmp/nomad_client_bundle.json
+VAULT_ADDR={{ vault_conf.api_addr }}
+
+if [ "$(vault status -format=json| jq .is_self)" != "true" ]; then
+  echo "We're not the active vault, exiting"
+elif [ "$(vault status -format=json | jq .sealed)" != "false" ]; then
+  echo "Vault is sealed, exiting"
+elif [ "$(vault status -format=json | jq .initialized)" != "true" ]; then
+  echo "Vault is not initialized yet, exiting"
+else
+  echo Updating Vault certificate to access Nomad API
+  VAULT_TOKEN=$VAULT_TOKEN \
+    vault write {{ vault_secrets.nomad.secret.path }}/config/access \
+      address="{{ vault_secrets.nomad.address }}" \
+      token="$NOMAD_TOKEN" \
+      ca_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .issuing_ca)" \
+      client_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .certificate)" \
+      client_key="$(cat $NOMAD_CERT_BUNDLE | jq -r .private_key)"
+fi
+
+echo Removing Nomad client certificate from the filesystem
+rm -f $NOMAD_CERT_BUNDLE