more vault

author Tom Clegg <tom@curoverse.com>

Fri, 17 Feb 2017 08:09:34 +0000 (03:09 -0500)

committer Tom Clegg <tom@curoverse.com>

Fri, 17 Feb 2017 08:09:34 +0000 (03:09 -0500)
author Tom Clegg <tom@curoverse.com>
Fri, 17 Feb 2017 08:09:34 +0000 (03:09 -0500)
committer Tom Clegg <tom@curoverse.com>
Fri, 17 Feb 2017 08:09:34 +0000 (03:09 -0500)
diff --git a/services/boot/controller.go b/services/boot/controller.go

index 4b3e249ac582083bb7be64818337eb5449202db5..abd07255ea7896baf586885096be99881081e9ce 100644 (file)
--- a/services/boot/controller.go
+++ b/services/boot/controller.go
@@ -17,20 +17,16 @@ func (c *controller) Boot(ctx context.Context) error {
                 },
                 Concurrent{
                         postgresql,
                 },
                 Concurrent{
                         postgresql,
-                       Concurrent{
-                               &download{
-                                       URL:  "https://releases.hashicorp.com/consul-template/0.18.0/consul-template_0.18.0_linux_amd64.zip",
-                                       Dest: path.Join(cfg.UsrDir, "bin", "consul-template"),
-                                       Size: 6912352,
-                                       Mode: 0755,
-                               },
-                               consul,
-                       },
-                       Concurrent{
-                               vault,
-                               nomad,
+                       &download{
+                               URL:  "https://releases.hashicorp.com/consul-template/0.18.0/consul-template_0.18.0_linux_amd64.zip",
+                               Dest: path.Join(cfg.UsrDir, "bin", "consul-template"),
+                               Size: 6912352,
+                               Mode: 0755,
                         },
                 },
                         },
                 },
+               consul,
+               vault,
+               nomad,
                 // Concurrent{
                 //      dispatchLocal,
                 //      dispatchSLURM,
                 // Concurrent{
                 //      dispatchLocal,
                 //      dispatchSLURM,
diff --git a/services/boot/nomad.go b/services/boot/nomad.go

index 632f993f2c1d7d7d621ebaa1147b936441f85408..0dfdd1189af8d51b889864356f474880d24c6d1f 100644 (file)
--- a/services/boot/nomad.go
+++ b/services/boot/nomad.go
@@ -3,6 +3,7 @@ package main
  import (
         "context"
         "fmt"
  import (
         "context"
         "fmt"
+       "io/ioutil"
         "os"
         "path"
         "sync"
         "os"
         "path"
         "sync"
@@ -36,6 +37,11 @@ func (nb *nomadBooter) Boot(ctx context.Context) error {
                 return err
         }
  
                 return err
         }
  
+       masterToken, err := ioutil.ReadFile(cfg.masterTokenFile())
+       if err != nil {
+               return err
+       }
+
         dataDir := path.Join(cfg.DataDir, "nomad")
         if err := os.MkdirAll(dataDir, 0700); err != nil {
                 return err
         dataDir := path.Join(cfg.DataDir, "nomad")
         if err := os.MkdirAll(dataDir, 0700); err != nil {
                 return err
@@ -51,6 +57,7 @@ func (nb *nomadBooter) Boot(ctx context.Context) error {
                 },
                 "consul": map[string]interface{}{
                         "address": fmt.Sprintf("127.0.0.1:%d", cfg.Ports.ConsulHTTP),
                 },
                 "consul": map[string]interface{}{
                         "address": fmt.Sprintf("127.0.0.1:%d", cfg.Ports.ConsulHTTP),
+                       "token":   string(masterToken),
                 },
                 "data_dir":   dataDir,
                 "datacenter": cfg.SiteID,
                 },
                 "data_dir":   dataDir,
                 "datacenter": cfg.SiteID,
diff --git a/services/boot/vault.go b/services/boot/vault.go

index f01dbb626fa80015e96cd831cba253b68efb8a93..4d063e71a31e6c9b2069889ea75ff2a6a72f113b 100644 (file)
--- a/services/boot/vault.go
+++ b/services/boot/vault.go
@@ -128,31 +128,54 @@ func (vb *vaultBooter) tryInit(ctx context.Context) error {
                 return fmt.Errorf("vault unseal failed!")
         }
  
                 return fmt.Errorf("vault unseal failed!")
         }
  
+       // Use master token to create a management token
         master, err := consul.master(ctx)
         if err != nil {
                 return err
         }
         master, err := consul.master(ctx)
         if err != nil {
                 return err
         }
-       token, _, err := master.ACL().Create(&consulAPI.ACLEntry{Name: "vault", Type: "management"}, nil)
+       mgmtToken, _, err := master.ACL().Create(&consulAPI.ACLEntry{Name: "vault", Type: "management"}, nil)
         if err != nil {
                 return err
         }
         if err != nil {
                 return err
         }
-       err = waitCheck(ctx, 30*time.Second, func(context.Context) error {
+       if err = atomicWriteFile(path.Join(cfg.DataDir, "vault-mgmt-token.txt"), []byte(mgmtToken), 0400); err != nil {
+               return err
+       }
+
+       // Mount+configure consul backend
+       if err = waitCheck(ctx, 30*time.Second, func(context.Context) error {
+               // Typically this first fails "500 node not active but
+               // active node not found" but then succeeds.
                 return vault.Sys().Mount("consul", &api.MountInput{Type: "consul"})
                 return vault.Sys().Mount("consul", &api.MountInput{Type: "consul"})
-       })
-       if err != nil {
+       }); err != nil {
                 return err
         }
         _, err = vault.Logical().Write("consul/config/access", map[string]interface{}{
                 "address": fmt.Sprintf("127.0.0.1:%d", cfg.Ports.ConsulHTTP),
                 return err
         }
         _, err = vault.Logical().Write("consul/config/access", map[string]interface{}{
                 "address": fmt.Sprintf("127.0.0.1:%d", cfg.Ports.ConsulHTTP),
-               "token":   string(token),
+               "token":   string(mgmtToken),
         })
         if err != nil {
                 return err
         }
         })
         if err != nil {
                 return err
         }
+
+       // Create a role
         _, err = vault.Logical().Write("consul/roles/write-all", map[string]interface{}{
                 "policy": base64.StdEncoding.EncodeToString([]byte(`key "" { policy = "write" }`)),
         })
         _, err = vault.Logical().Write("consul/roles/write-all", map[string]interface{}{
                 "policy": base64.StdEncoding.EncodeToString([]byte(`key "" { policy = "write" }`)),
         })
-       return err
+       if err != nil {
+               return err
+       }
+
+       // Generate a new token with the write-all role
+       secret, err := vault.Logical().Read("consul/creds/write-all")
+       if err != nil {
+               return err
+       }
+       token, ok := secret.Data["token"].(string)
+       if !ok {
+               return fmt.Errorf("secret token broken?? %+v", secret)
+       }
+       log.Printf("Vault supplied token with lease duration %s (renewable=%v): %q", time.Duration(secret.LeaseDuration)*time.Second, secret.Renewable, token)
+       return nil
  }
  
  func (vb *vaultBooter) client(ctx context.Context) (*api.Client, error) {
  }
  
  func (vb *vaultBooter) client(ctx context.Context) (*api.Client, error) {
author	Tom Clegg <tom@curoverse.com>
	Fri, 17 Feb 2017 08:09:34 +0000 (03:09 -0500)
committer	Tom Clegg <tom@curoverse.com>
	Fri, 17 Feb 2017 08:09:34 +0000 (03:09 -0500)
services/boot/controller.go		patch \| blob \| history
services/boot/nomad.go		patch \| blob \| history
services/boot/vault.go		patch \| blob \| history