commit 843f915778a8bb3e504020fe689765d10e8c7125
parent 3a72024bfa73f802efb0e59e166a95457daed0e3
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date: Sat, 27 Jul 2024 15:26:08 +0200
feat(nomad): workload identities with bao
Diffstat:
3 files changed, 52 insertions(+), 12 deletions(-)
diff --git a/README.md b/README.md
@@ -100,6 +100,50 @@ tbd
* ACLs for Nomad
+## Nomad workload identity configuration
+
+Follow along the tutorial to configure Nomad workload identities with Bao:
+* https://developer.hashicorp.com/nomad/tutorials/integrate-vault/vault-acl
+
+```bash
+$ cat vault-jwt-config.json
+{
+ "jwks_url": "https://127.0.0.1:4646/.well-known/jwks.json",
+ "jwt_supported_algs": ["RS256", "EdDSA"],
+ "default_role": "nomad-workloads"
+}
+
+# reuse the nomad-agent-ca.pem to configure the jwt auth backend
+$ bao write auth/jwt-nomad/config jwks_ca_pem=@tls/nomad/nomad-agent-ca.pem @vault-jwt-config.json
+
+$ cat vault-jwt-role.json
+{
+ "role_type": "jwt",
+ "bound_audiences": ["vault.in0rdr.ch"],
+ "user_claim": "/nomad_job_id",
+ "user_claim_json_pointer": true,
+ "claim_mappings": {
+ "nomad_namespace": "nomad_namespace",
+ "nomad_job_id": "nomad_job_id",
+ "nomad_task": "nomad_task"
+ },
+ "token_type": "service",
+ "token_policies": ["nomad-workloads"],
+ "token_period": "30m",
+ "token_explicit_max_ttl": 0
+}
+$ bao write auth/jwt-nomad/role/nomad-workloads @vault-jwt-role.json
+
+# keep the bao policy a bit simpler (only job level nesting for kv path)
+# replace AUTH_METHOD_ACCESSOR with the actual accessor of auth/jwt-nomad
+$ cat vault-policy-nomad-workloads.hcl
+path "kv/+/{{identity.entity.aliases.AUTH_METHOD_ACCESSOR.metadata.nomad_job_id}}*" {
+ capabilities = ["list", "read"]
+}
+$ bao policy write nomad-workloads vault-policy-nomad-workloads.hcl
+```
+
+
## Authorized Keys
Copy the contents of an openssh pubkey to `authorized_keys` Packer variable.
diff --git a/hashi-pi.pkr.hcl b/hashi-pi.pkr.hcl
@@ -84,12 +84,6 @@ variable "nomad_server" {
default = "true"
}
-variable "nomad_vault_token" {
- type = string
- default = ""
- sensitive = true
-}
-
variable "nomad_version" {
type = string
default = "1.8.1"
@@ -212,7 +206,6 @@ build {
"NOMAD_SERVER=${var.nomad_server}",
"NOMAD_CLIENT=${var.nomad_client}",
"NOMAD_PODMAN_DRIVER_VERSION=${var.nomad_podman_driver_version}",
- "NOMAD_VAULT_TOKEN=${var.nomad_vault_token}",
"NOMAD_JENKINS_UID=${var.nomad_jenkins_uid}",
"NOMAD_JENKINS_GID=${var.nomad_jenkins_gid}"
]
diff --git a/nomad.sh b/nomad.sh
@@ -46,9 +46,15 @@ vault {
$(if [[ "$NOMAD_SERVER" = true ]]; then
# Only servers create further Tokens for clients from the Token role
# https://developer.hashicorp.com/nomad/docs/configuration/vault#nomad-client
- echo -e " create_from_role = \"nomad-cluster\"\n}"
-else echo "}"
+ echo -e "
+ # default workload identity for bao
+ # https://developer.hashicorp.com/nomad/docs/configuration/vault#default_identity
+ default_identity {
+ aud = ["vault.in0rdr.ch"]
+ ttl = "1h"
+ }"
fi)
+}
telemetry {
# https://developer.hashicorp.com/nomad/docs/configuration/telemetry
@@ -112,9 +118,6 @@ tls {
verify_https_client = false
}
EOF
-
-# https://www.nomadproject.io/docs/integrations/vault-integration
-echo "VAULT_TOKEN=$NOMAD_VAULT_TOKEN" > /etc/nomad.d/nomad.env
fi # endif NOMAD_SERVER
systemctl enable nomad
