feat: generate consul policy/tokens
- generate policy/token to add nodes - generate policy/token for all nodes - add base::root profile to manage aspects of the root user
This commit is contained in:
@@ -22,6 +22,7 @@ class profiles::base (
|
||||
include profiles::base::scripts
|
||||
include profiles::base::hosts
|
||||
include profiles::base::groups
|
||||
include profiles::base::root
|
||||
include profiles::accounts::sysadmin
|
||||
include profiles::ntp::client
|
||||
include profiles::dns::base
|
||||
@@ -29,6 +30,7 @@ class profiles::base (
|
||||
include profiles::cloudinit::init
|
||||
include profiles::metrics::default
|
||||
include profiles::helpers::node_lookup
|
||||
include profiles::consul::client
|
||||
|
||||
# include the python class
|
||||
class { 'python':
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
# manage the root user
|
||||
class profiles::base::root {
|
||||
|
||||
# TODO
|
||||
# for now, add some root directories
|
||||
|
||||
file {'/root/.config':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,53 @@
|
||||
# profiles::consul::client
|
||||
class profiles::consul::client (
|
||||
String $secret_id_salt = '',
|
||||
Stdlib::Fqdn $consul_hostname = 'consul.service.consul',
|
||||
Enum['http','https'] $consul_protocol = 'http',
|
||||
Stdlib::Port $consul_port = 8500,
|
||||
String $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
|
||||
) {
|
||||
|
||||
# Create ACL policy that allows nodes to update themselves and read others
|
||||
consul_policy { $facts['networking']['hostname']:
|
||||
description => "${facts['networking']['fqdn']} puppet-generated-policy",
|
||||
rules => [
|
||||
{
|
||||
'resource' => 'node',
|
||||
'segment' => $facts['networking']['hostname'],
|
||||
'disposition' => 'write'
|
||||
},
|
||||
{
|
||||
'resource' => 'node',
|
||||
'segment' => '',
|
||||
'disposition' => 'read'
|
||||
}
|
||||
],
|
||||
acl_api_token => $consul_api_token,
|
||||
hostname => $consul_hostname,
|
||||
protocol => $consul_protocol,
|
||||
port => $consul_port,
|
||||
}
|
||||
|
||||
consul_token { $facts['networking']['hostname']:
|
||||
accessor_id => fqdn_uuid($facts['networking']['fqdn']),
|
||||
description => "${facts['networking']['fqdn']} puppet-generated-token",
|
||||
policies_by_name => [$facts['networking']['hostname']],
|
||||
acl_api_token => $consul_api_token,
|
||||
secret_id => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}"),
|
||||
hostname => $consul_hostname,
|
||||
protocol => $consul_protocol,
|
||||
port => $consul_port,
|
||||
|
||||
}
|
||||
|
||||
# ensure the consul token is saved for the root user
|
||||
file {'/root/.config/consul_node_token':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
content => Sensitive(fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")),
|
||||
require => File['/root/.config'],
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
# profiles::consul::policies
|
||||
class profiles::consul::policies (
|
||||
String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
|
||||
) {
|
||||
|
||||
consul_policy { 'node_editor':
|
||||
description => 'Policy to read/write all nodes puppet-generated-policy',
|
||||
rules => [
|
||||
{
|
||||
'resource' => 'node',
|
||||
'segment' => '',
|
||||
'disposition' => 'write'
|
||||
},
|
||||
{
|
||||
'resource' => 'node',
|
||||
'segment' => '',
|
||||
'disposition' => 'read'
|
||||
}
|
||||
],
|
||||
acl_api_token => $root_api_token,
|
||||
hostname => $facts['networking']['ip'],
|
||||
}
|
||||
}
|
||||
@@ -105,8 +105,10 @@ class profiles::consul::server (
|
||||
# consul before extra services
|
||||
if defined(Class['consul']) {
|
||||
|
||||
# setup nginx
|
||||
# include nginx, policies and tokens
|
||||
include profiles::consul::nginx
|
||||
include profiles::consul::policies
|
||||
include profiles::consul::tokens
|
||||
|
||||
# get the dns port from the $ports hash, otherwise use the default
|
||||
$dns_port = pick($ports['dns'], 8600)
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
# profiles::consul::tokens
|
||||
class profiles::consul::tokens (
|
||||
String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
|
||||
){
|
||||
|
||||
consul_token { 'node_editor':
|
||||
accessor_id => lookup('profiles::consul::token::node_editor::accessor_id'),
|
||||
policies_by_name => ['node_editor'],
|
||||
acl_api_token => $root_api_token,
|
||||
secret_id => lookup('profiles::consul::token::node_editor::secret_id'),
|
||||
hostname => $facts['networking']['ip'],
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user