Update to 2022-09-20 13:00

2025-07-27 00:05:44 +02:00 · 2022-09-20 13:00:08 +02:00
parent 66df749295
commit e6019f8e32
12 changed files with 50 additions and 26 deletions
--- a/roles/vault/tasks/conf.yml
+++ b/roles/vault/tasks/conf.yml
@@ -19,6 +19,10 @@
  notify: restart vault
  tags: vault

+- name: Ensure correct permission on vault private key
+  file: path={{ vault_root_dir }}/tls/vault.key mode=640 owner=root group={{ vault_user }}
+  tags: vault
+
 - name: Setup logrotate
  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
  tags: vault
@@ -30,8 +34,8 @@
      template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
      notify: restart consul-template-vault

-    - name: Deploy Nomad certificate bundle template for consul-template
-      template: src=nomad_client_bundle.json.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl
+    - name: Deploy Nomad certificate bundle template
+      template: src=nomad_client_bundle.pem.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl
      notify: restart consul-template-vault

    - name: Deploy the update cert hook
--- a/roles/vault/templates/consul-template.hcl.j2
+++ b/roles/vault/templates/consul-template.hcl.j2
@@ -6,10 +6,10 @@ vault {

 {% if vault_secrets.nomad.enabled %}
 template {
-  source          = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.json.tpl"
+  source          = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl"
  left_delimiter  = "[["
  right_delimiter = "]]"
-  destination     = "{{ vault_root_dir }}/tmp/nomad_client_bundle.json"
+  destination     = "{{ vault_root_dir }}/tls/nomad_client_bundle.pem"
  perms           = 0600
  exec {
    command = "{{ vault_root_dir }}/bin/update_nomad_cert {{ vault_secrets.nomad.token }} {{ vault_secrets.vault_token }}"
--- a/roles/vault/templates/nomad_client_bundle.json.tpl.j2
+++ b/roles/vault/templates/nomad_client_bundle.json.tpl.j2
@@ -1,3 +0,0 @@
-[[ with secret "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
-[[ .Data | toJSONPretty ]]
-[[ end ]]
--- a/roles/vault/templates/nomad_client_bundle.pem.tpl.j2
+++ b/roles/vault/templates/nomad_client_bundle.pem.tpl.j2
@@ -0,0 +1,8 @@
+[[ with pkiCert "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
+[[ .CA ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .CA | writeToFile "{{ vault_root_dir }}/tls/nomad_ca.crt" "root" "root" "0644" ]]
+[[ .Cert | writeToFile "{{ vault_root_dir }}/tls/nomad_client.crt" "root" "root" "0644" ]]
+[[ .Key | writeToFile "{{ vault_root_dir }}/tls/nomad_client.key" "root" "root" "0600" ]]
+[[ end ]]
--- a/roles/vault/templates/update_nomad_cert.j2
+++ b/roles/vault/templates/update_nomad_cert.j2
@@ -5,7 +5,6 @@ set -eo pipefail
 NOMAD_TOKEN=$1
 VAULT_TOKEN=$2

-NOMAD_CERT_BUNDLE={{ vault_root_dir }}/tmp/nomad_client_bundle.json
 VAULT_ADDR={{ vault_conf.api_addr }}

 if [ "$(vault status -format=json| jq .is_self)" != "true" ]; then
@@ -20,10 +19,7 @@ else
    vault write {{ vault_secrets.nomad.secret.path }}/config/access \
      address="{{ vault_secrets.nomad.address }}" \
      token="$NOMAD_TOKEN" \
-      ca_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .issuing_ca)" \
-      client_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .certificate)" \
-      client_key="$(cat $NOMAD_CERT_BUNDLE | jq -r .private_key)"
+      ca_cert="$(cat {{ vault_root_dir }}/tls/nomad_ca.crt)" \
+      client_cert="$(cat {{ vault_root_dir }}/tls/nomad_client.crt)" \
+      client_key="$(cat {{ vault_root_dir }}/tls/nomad_client.key)"
 fi
-
-echo Removing Nomad client certificate from the filesystem
-rm -f $NOMAD_CERT_BUNDLE