Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

chore: Use Nomad ACL token instead of mTLS #103

Merged
mibeyene merged 1 commit into from
Feb 24, 2022
Merged

chore: Use Nomad ACL token instead of mTLS #103

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,6 @@ Axiomatic uses environment variables to override the default configuration value
* AXIOMATIC_SSH_PRIV_KEY (**required**) is the private ssh key used for cloning repositories. It must be base64 encoded.
* AXIOMATIC_SSH_PUB_KEY (**required**) is the public ssh key used for cloning repositories.
* NOMAD_ADDR is the address of the Nomad server. Default = `http://127.0.0.1:4646`
* NOMAD_CACERT is the path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate.
* NOMAD_CAPATH is the path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate.
* NOMAD_CLIENT_CERT Path to a PEM encoded client certificate for TLS authentication to the Nomad server.
* NOMAD_CLIENT_KEY Path to an unencrypted PEM encoded private key matching the client certificate.
* NOMAD_NAMESPACE is the target namespace for queries and actions. Default = `default`
* NOMAD_REGION is region of the Nomad servers to forward commands.
* NOMAD_TOKEN is the SecretID of an ACL token to use to authenticate API requests.
Expand Down
28 changes: 5 additions & 23 deletions axiomatic.nomad
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,33 +23,15 @@ job "axiomatic" {
AXIOMATIC_IP = "0.0.0.0"
AXIOMATIC_PORT = "8181"
GITHUB_SECRET = "you-deserve-what-you-get"
NOMAD_CACERT = "/local/certs/nomad-ca.pem"
NOMAD_CLIENT_CERT = "/local/certs/cli.pem"
NOMAD_CLIENT_KEY = "/local/certs/cli-key.pem"
}
template {
data = <<EOH
{{ with secret "pki_int/issue/nomad-cluster" "ttl=24h" }}
{{ .Data.issuing_ca }}
NOMAD_TOKEN={{ with secret "secrets/team/empower-rangers/nomad-bootstrap-token" }}
{{ .Data.token }}
{{ end }}
EOH
destination = "/local/certs/nomad-ca.pem"
}
template {
data = <<EOH
{{ with secret "pki_int/issue/nomad-cluster" "ttl=24h" }}
{{ .Data.certificate }}
{{ end }}
EOH
destination = "/local/certs/cli.pem"
}
template {
data = <<EOH
{{ with secret "pki_int/issue/nomad-cluster" "ttl=24h" }}
{{ .Data.private_key }}
{{ end }}
EOH
destination = "/local/certs/cli-key.pem"
destination = "local/secrets.env"
env = true
}

resources {
Expand Down Expand Up @@ -77,6 +59,6 @@ EOH
type = "service"

vault = {
policies = ["tls-policy"]
policies = ["secrets-team-empower-rangers-read"]
}
}