-
Notifications
You must be signed in to change notification settings - Fork 3
/
consul-node-setup.sls
98 lines (84 loc) · 3.24 KB
/
consul-node-setup.sls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# runs on the master via reactor
{% set tag = salt.pillar.get('tag') %}
{% set data = salt.pillar.get('data') %}
consul-acl-policy-create:
salt.runner:
- name: salt.cmd
- arg:
- http.query
- kwarg:
url: http://169.254.1.1:8500/v1/acl/policy
method: PUT
header_dict:
X-Consul-Token: {{salt['dynamicsecrets'].get_store().load('consul-acl-master-token', host="*")}}
data: >-
{
"Name": "policy-{{data['id']|replace('.', '-')}}",
"Description": "Agent policy for {{data['id']}}",
"Rules": "{{"
key_prefix \"\" {
policy = \"deny\"
}
key_prefix \"oauth2-clients\" {
policy = \"write\"
}
key_prefix \"concourse/workers/sshpub\" {
policy = \"write\"
}
node_prefix \"\" {
policy = \"read\"
}
node \""|replace('\n', '\\n')|replace('"', '\\"')}}{{data['id']}}{{"\" {
policy = \"write\"
}
service_prefix \"\" {
policy = \"write\"
}
agent \""|replace('\n', '\\n')|replace('"', '\\"')}}{{data['id']}}{{"\" {
policy = \"write\"
}
event_prefix \"\" {
policy = \"read\"
}
query_prefix \"\" {
policy = \"read\"
}
"|replace('\n', '\\n')|replace('"', '\\"')}}"
}
# the token has previously been created by dynamicsecrets (the secret is declared
# as type="consul-acl-token"). So we can just update it with the new policy we just created
consul-acl-token-update:
salt.runner:
- name: salt.cmd
- arg:
- http.query
- kwarg:
url: http://169.254.1.1:8500/v1/acl/token/{{salt['dynamicsecrets'].get_store().get_or_create(
{
"type": "consul-acl-token",
},
'consul-acl-token',
host=data['id'])['accessor_id']}}
method: PUT
header_dict:
X-Consul-Token: {{salt['dynamicsecrets'].get_store().load('consul-acl-master-token', host="*")}}
data: >-
{
"Description": "token-{{data['id']}}",
"Policies": [
{
"Name": "policy-{{data['id']|replace('.', '-')}}"
}
]
}
- require:
- salt: consul-acl-policy-create
consul-acl-install:
salt.state:
- name: ACL installation
- tgt: {{data['id']}}
- sls:
- consul.acl_install
- consul.template_acl_install
- require:
- salt: consul-acl-token-update