diff --git a/CHANGELOG b/CHANGELOG index f00f69f..9cf9cc9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +* Tue Jul 18 2017 Dylan Cochran <dylan.cochran@onyxpoint.com> - 0.4.0 +- (SIMP-3275) libkv auto-config uses the root acl + * Tue Jul 11 2017 Dylan Cochran <dylan.cochran@onyxpoint.com> - 0.3.3 - (SIMP-3406) Fix docker containers for travisci - (SIMP-3128) Delete .meta keys diff --git a/files/consul/consul-acl b/files/consul/consul-acl new file mode 100755 index 0000000..9da60f5 --- /dev/null +++ b/files/consul/consul-acl @@ -0,0 +1,133 @@ +#!/bin/sh + +# Give consul some time to attempt a join, then realize it's bootstrapping +# a new cluster +sleep 10 + +gen_agent_acl() { + CLIENTCERT=$1 + shift + NODENAME=$1 + if [ "${NODENAME}" = "" ] ; then + NODENAME="${CLIENTCERT}" + fi + POLICY='{ + "Name": "%%CLIENTCERT%%", + "Type": "client", + "Rules": "{ + \"key\":{ + \"\":{ + \"policy\":\"write\" + }, + \"puppet/\":{ + \"policy\":\"deny\" + } + }, + \"operator\":\"read\" + , + \"node\":{ + \"\":{ + \"policy\":\"read\" + }, + \"%%NODENAME%%\":{ + \"policy\":\"write\" + } + } + , + \"agent\":{ + \"\":{ + \"policy\":\"read\" + }, + \"%%NODENAME%%\":{ + \"policy\":\"write\" + } + } + , + \"event\":{ + \"\":{ + \"policy\":\"read\" + } + } + , + \"service\":{ + \"\":{ + \"policy\":\"read\" + }, + \"%%NODENAME%%\":{ + \"policy\":\"write\" + } + } + , + \"session\":{ + \"\":{ + \"policy\":\"read\" + }, + \"%%NODENAME%%\":{ + \"policy\":\"write\" + } + } + }" +}' + echo "${POLICY}" | grep -v ^# | tr -d '\t' | tr -d '\n' | sed s@%%NODENAME%%@${NODENAME}@g | sed s@%%CLIENTCERT%%@${CLIENTCERT}@g +} + +gen_token() { + + case "${TYPE}" in + libkv) + POLICY='{ + "Name": "libkv-acl", + "Type": "client", + "Rules": "{\"key\":{\"puppet/\":{\"policy\":\"write\"}},\"operator\":\"read\"}" +}' + ;; + agent) + POLICY="$(gen_agent_acl "${CLIENTCERT}" "${NODENAME}")" + ;; + esac + if [ "${OUTPUTFILE}" = "" ] ; then + curl -s --request PUT --data "${POLICY}" -q http://localhost:8500/v1/acl/create?token="${TOKEN}" | cut -d '"' -f 4 + else + curl -s --request PUT --data "${POLICY}" -q http://localhost:8500/v1/acl/create?token="${TOKEN}" | cut -d '"' -f 4 >${OUTPUTFILE} + fi +} + +get_token() { + curl -s --request GET -q http://localhost:8500/v1/acl/list +} + +while getopts ":t:m:o:" o; do + case "${o}" in + t) + export TYPE=${OPTARG} + ;; + m) + export MASTER_TOKEN_PATH=${OPTARG} + ;; + o) + export OUTPUTFILE=${OPTARG} + ;; + esac +done + +if [ "${TYPE}" = "" ] ; then +export TYPE="libkv" +fi +if [ "${MASTER_TOKEN_PATH}" = "" ] ; then +export MASTER_TOKEN_PATH="/etc/simp/bootstrap/consul/master_token" +fi + +export TOKEN=$(cat ${MASTER_TOKEN_PATH}) + +shift $((OPTIND-1)) +export METHOD=$1 +shift +export CLIENTCERT=$1 +shift +export NODENAME=$1 + +case "${METHOD}" in + gen) + gen_token + ;; +esac diff --git a/files/consul/consul-create-acl b/files/consul/consul-create-acl index 7820ded..7ab8639 100644 --- a/files/consul/consul-create-acl +++ b/files/consul/consul-create-acl @@ -30,8 +30,8 @@ case "${TYPE}" in agent) POLICY='{ "Name": "agent-acl", - "Taype": "client", - "Rules": "{\"key\":{\"\":{\"policy\":\"write\"}, \"puppet/\":{\"policy\":\"deny\"}},\"operator\":\"read\"}" + "Type": "client", + "Rules": "{\"key\":{\"\":{\"policy\":\"write\"}, \"puppet/\":{\"policy\":\"deny\"}},\"operator\":\"read\", \"node\":{\"\":{\"policy\":\"write\"}}, \"agent\":{\"policy\":\"write\"}, \"event\":{ \"\":{\"policy\":\"read\"}} }" }' ;; esac diff --git a/manifests/consul.pp b/manifests/consul.pp index 1d44fde..70bf802 100644 --- a/manifests/consul.pp +++ b/manifests/consul.pp @@ -17,6 +17,7 @@ $private_file_name = undef, $cert_file_name = undef, $config_hash = undef, + $agent_token = undef, ) { if ($firewall) { $ports = [ @@ -43,6 +44,10 @@ if ($facts["consul_bootstrap"] == "true") { $_bootstrap_hash = { "bootstrap_expect" => 1 } ## Create real token + file { "/usr/bin/consul-acl": + mode => "a+x", + source => "puppet:///modules/libkv/consul/consul-acl" + } -> file { "/usr/bin/consul-create-acl": mode => "a+x", source => "puppet:///modules/libkv/consul/consul-create-acl" @@ -50,16 +55,16 @@ exec { "/usr/bin/consul-create-acl -t libkv /etc/simp/bootstrap/consul/master_token /etc/simp/bootstrap/consul/libkv_token": creates => "/etc/simp/bootstrap/consul/libkv_token", require => [ - Service['consul'], - File["/usr/bin/consul-create-acl"], - ], + Service['consul'], + File["/usr/bin/consul-create-acl"], + ], } exec { "/usr/bin/consul-create-acl -t agent_token /etc/simp/bootstrap/consul/master_token /etc/simp/bootstrap/consul/agent_token": creates => "/etc/simp/bootstrap/consul/agent_token", require => [ - Service['consul'], - File["/usr/bin/consul-create-acl"], - ], + Service['consul'], + File["/usr/bin/consul-create-acl"], + ], } } else { $_bootstrap_hash = {} @@ -91,22 +96,47 @@ } else { $_key_hash = {} } + if ($agent_token == undef) { $master_token_path = '/etc/simp/bootstrap/consul/master_token' $master_token = file($master_token_path, "/dev/null") - if ($master_token != undef) { - $_token_hash = { - "acl_master_token" => $master_token.chomp, - "acl_token" => $master_token.chomp, + if ($server == true) { + if ($master_token != undef) { + $_token_hash = { + "acl_master_token" => $master_token.chomp, + "acl_token" => $master_token.chomp, + } + } else { + $_token_hash = {} } } else { - $_token_hash = {} + $_agent_token = libkv::get({"softfail" => true, "key" => "/simp/libkv/consul/acls/${::clientcert}-${::hostname}"}) + if ($_agent_token != undef) { + $_token_hash = { + "acl_token" => $_agent_token.chomp, + } + } else { + $try_agent_token = generate("/usr/bin/consul-acl", "-t", "agent", "gen", "${::clientcert}", "${::hostname}").chomp + if ($try_agent_token != "") { + $result = libkv::put({"softfail" => true, "key" => "/simp/libkv/consul/acls/${::clientcert}-${::hostname}", "value" => $try_agent_token.chomp}) + $_token_hash = { + "acl_token" => $try_agent_token.chomp, + } + } else { + $_token_hash = {} + } + } + } + } else { + $_token_hash = { + "acl_token" => $agent_token, + } } if ($use_puppet_pki == true) { if ($bootstrap == false) { if (!defined(File['/etc/simp'])) { - file { "/etc/simp": - ensure => directory, - } + file { "/etc/simp": + ensure => directory, + } } } file { "/etc/simp/consul":