From 2b4bb6ca09f2ee0e4a6560ad61b24f4136d033d2 Mon Sep 17 00:00:00 2001 From: Bruce Becker Date: Sun, 30 Jun 2024 22:48:45 +0200 Subject: [PATCH] feat: add job for hashi-at-home consul and nomad secrets (#145) feat: add job for hashi-at-home consul and nomad secrets fix: add secrets for CONSUL and VAULT to env with template feat: add backup job for H@H services chore: change execution cron to 15 past every 6th hour --------- Signed-off-by: Bruce Becker --- consul-snapshot.nomad | 39 ---------------------- hah-snapshot.nomad | 75 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 39 deletions(-) delete mode 100644 consul-snapshot.nomad create mode 100644 hah-snapshot.nomad diff --git a/consul-snapshot.nomad b/consul-snapshot.nomad deleted file mode 100644 index a62e46a..0000000 --- a/consul-snapshot.nomad +++ /dev/null @@ -1,39 +0,0 @@ -job "consul-backup" { - datacenters = ["dc1"] - type = "batch" - periodic { - cron = "1-59/5 * * * * *" - } - group "data" { - count = 1 - network {} - // volume "scratch" { - // type = "host" - // source = "scratch" - // read_only = false - // } - task "get-terraform" { - driver = "exec" - lifecycle { - hook = "prestart" - sidecar = false - } - config { - command = "bash" - args = ["-c", "curl https://r1eleases.hashicorp.com/terraform/1.3.4/terraform_1.3.4_linux_arm64.zip | gunzip ->terraform ; chmod u+x terraform"] - } - // volume_mount { - // volume = "scratch" - // destination = "/volume" - // read_only = false - // } - } - task "check-consul" { - driver = "exec" - config { - command = "bash" - args = ["-c", "consul -version"] - } - } - } -} diff --git a/hah-snapshot.nomad b/hah-snapshot.nomad new file mode 100644 index 0000000..0f09217 --- /dev/null +++ b/hah-snapshot.nomad @@ -0,0 +1,75 @@ +# A job to retrieve a consul token from Vault. +job "hah-state-backup" { + datacenters = ["dc1"] + type = "batch" + periodic { + crons = ["1-59/15 * * * * *"] + prohibit_overlap = false + } + group "all" { + count = 1 + network {} + vault { + env = true + } + restart { + attempts = 0 + } + task "snapshot" { + # Get a vault token so that we can read consul creds + template { + data = <<-EOH +#!/bin/env bash +PATH=${HOME}/.local/bin:${PATH} +source ${NOMAD_SECRETS_DIR}/env +echo Nomad addr: ${NOMAD_ADDR} +ecoh +# Generate Consul Snapshot +curl -v \ + -X GET \ + -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" \ + http://localhost:8500/v1/snapshot \ + > ${NOMAD_ALLOC_DIR}/data/consul_$(date --iso-8601=date).snap + +# Generate Nomad snapshot +curl -v \ + -X GET \ + -H "X-Nomad-Token: ${NOMAD_TOKEN}" \ + ${NOMAD_ADDR}/v1/operator/snapshot \ + > ${NOMAD_ALLOC_DIR}/data/nomad_$(date --iso-8601=date).snap + +# Get the playbook +curl -X GET \ + -H "Accept: applicaton/vnd.github+json" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -H "X-Github-Api-Version: 2022-11-28" \ + https://api.github.com/repos/brucellino/personal-automation/contents/playbooks/backup-state.yml \ + | jq -r .content \ + | base64 -d > playbook.yml +pip install --user ansible boto3 botocore +ansible-playbook -c local -i localhost, playbook.yml + EOH + destination = "local/start.sh" + perms = "777" + } + template { + data = <<-EOH +CONSUL_HTTP_TOKEN="{{ with secret "hashi_at_home/creds/cluster-role" }}{{ .Data.token }}{{ end }}" +CONSUL_HTTP_ADDR=http://localhost:8500 +GITHUB_TOKEN="{{ with secret "/github_personal_tokens/token" "repositories=personal-automation" +"installation_id=44668070"}}{{ .Data.token }}{{ end }}" +NOMAD_ADDR={{ with service "http.nomad" }}{{ with index . 0 }}http://{{ .Address }}:{{ .Port }}{{ end }}{{ end }} +NOMAD_TOKEN="{{ with secret "nomad/creds/mgmt" }}{{ .Data.secret_id }}{{ end }}" +VAULT_ADDR={{ range service "vault" }}http://{{ .Address }}:{{ .Port }}{{- end }} + EOH + destination = "${NOMAD_SECRETS_DIR}/env" + perms = "400" + env = true + } + driver = "exec" + config { + command = "local/start.sh" + } + } + } +}