From dd3311e3d7457dcfe9a08794fded458329034472 Mon Sep 17 00:00:00 2001 From: David Arnold Date: Fri, 20 May 2022 11:01:58 -0500 Subject: [PATCH] imp: imperonate patroni as patroni itself --- cells/patroni/hydrationProfiles.nix | 39 +++++++++++------------------ cells/patroni/nomadJob/default.nix | 12 ++++++--- 2 files changed, 23 insertions(+), 28 deletions(-) diff --git a/cells/patroni/hydrationProfiles.nix b/cells/patroni/hydrationProfiles.nix index be17300..a64a2be 100644 --- a/cells/patroni/hydrationProfiles.nix +++ b/cells/patroni/hydrationProfiles.nix @@ -14,12 +14,6 @@ in { bucketArn = "arn:aws:s3:::${config.cluster.s3Bucket}"; allowS3ForBucket = allowS3For bucketArn; inherit (terralib) var id; - c = "create"; - r = "read"; - u = "update"; - d = "delete"; - l = "list"; - s = "sudo"; acc = nixpkgs.lib.foldl nixpkgs.lib.recursiveUpdate {}; perNamespaceList = f: builtins.map (n: f n) namespaces; perNamespace = f: acc (perNamespaceList f); @@ -44,16 +38,26 @@ in { cluster.iam.roles.client.policies = perNamespace ( namespace: allowS3ForBucket "postgres-backups-${namespace}" "backups/${namespace}" ["walg"] ); + # FIXME: consolidate policy reconciliation loop with TF + # PROBLEM: requires bootstrapper reconciliation loop + # clients need the capability to impersonate the `patroni` role + services.vault.policies.client = { + path."consul/creds/patroni".capabilities = ["read"]; + path."auth/token/create/patroni".capabilities = ["update"]; + path."auth/token/roles/patroni".capabilities = ["read"]; + }; # ------------------------ # hydrate-cluster # ------------------------ tf.hydrate-cluster.configuration = { locals.policies = { - vault."nomad-cluster" = { - path."consul/creds/patroni".capabilities = [r]; - path."pki/issue/postgres".capabilities = [c u]; - path."pki/roles/postgres".capabilities = [r]; - }; + vault.patroni.path = perNamespace ( + namespace: { + "consul/creds/patroni".capabilities = ["read"]; + "kv/data/patroni/${namespace}".capabilities = ["read" "list"]; + "kv/metadata/patroni/${namespace}".capabilities = ["read" "list"]; + } + ); consul.patroni = { key_prefix = perNamespace ( namespace: { @@ -79,19 +83,6 @@ in { }; }; }; - resource.vault_pki_secret_backend_role.postgres = { - # backend = var "vault_pki_secret_backend.pki.path"; - backend = "pki"; - name = "postgres"; - key_type = "ec"; - key_bits = 256; - allow_any_name = true; - enforce_hostnames = false; - generate_lease = true; - key_usage = ["DigitalSignature" "KeyAgreement" "KeyEncipherment"]; - # 87600h - max_ttl = "315360000"; - }; }; }; } diff --git a/cells/patroni/nomadJob/default.nix b/cells/patroni/nomadJob/default.nix index 653f82e..48873a8 100644 --- a/cells/patroni/nomadJob/default.nix +++ b/cells/patroni/nomadJob/default.nix @@ -23,7 +23,7 @@ in subdomain = "patroni.${domain}"; consulPath = "consul/creds/patroni"; patroniSecrets = { - __toString = _: "kv/database/${namespace}"; + __toString = _: "kv/patroni/${namespace}"; patroniApi = ".Data.data.patroniApi"; patroniApiPass = ".Data.data.patroniApiPass"; patroniRepl = ".Data.data.patroniRepl"; @@ -33,7 +33,7 @@ in patroniSuper = ".Data.data.patroniSuper"; patroniSuperPass = ".Data.data.patroniSuperPass"; }; - vaultPkiPath = "pki/issue/postgres"; + vaultPkiPath = "pki/issue/patroni"; patroniYaml = "secrets/patroni.yaml"; volumeMount = "/persist-db"; in { @@ -176,7 +176,11 @@ in ( merge (import ./env-patroni.nix {inherit patroniSecrets consulPath volumeMount patroniYaml namespace;}) - {template = append (nomadFragments.workload-identity-vault {inherit vaultPkiPath;});} + { + template = append ( + nomadFragments.workload-identity-vault {inherit vaultPkiPath;} + ); + } ) // { resources = { @@ -199,7 +203,7 @@ in vault = { change_mode = "noop"; env = true; - policies = ["nomad-cluster"]; + policies = ["patroni"]; }; volume_mount = { destination = volumeMount;