fix tf/app defs

Signed-off-by: Martin Buchleitner <[email protected]>

app.py

@@ -135,12 +135,12 @@ def update_submit():
     if conf.has_section('VAULT'):
       if conf['VAULT']['Enabled'].lower() == 'true':
         logger.info('Vault is enabled...')
-        # if conf['VAULT']['Transform'].lower() == 'true':
-        #   logger.info('Using Transform database client...')
-        #   try:
-        #     dbc = db_client_transform.DbClient()
-        #   except Exception as e:
-        #     logging.error("There was an error starting the server: {}".format(e))
+        if conf['VAULT']['Transform'].lower() == 'true':
+          logger.info('Using Transform database client...')
+          try:
+            dbc = db_client_transform.DbClient()
+          except Exception as e:
+            logging.error("There was an error starting the server: {}".format(e))
         vault_token = ""
         if conf['VAULT']['InjectToken'].lower() == 'true':
           logger.info('Using Injected vault token')

db_client.py

@@ -64,12 +64,15 @@ def init_vault(self, addr, token, namespace, path, key_name):
         if not addr or not token:
             logger.warn('Skipping initialization...')
             return
-        else:
-            logger.warn("Connecting to vault server: {}".format(addr))
-            self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace)
-            self.key_name = key_name
-            self.mount_point = path
-            logger.debug("Initialized vault_client: {}".format(self.vault_client))
+        logger.warn("Connecting to vault server: {}".format(addr))
+        self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace, verify=False)
+        if not self.vault_client.is_authenticated():
+            self.vault_client = None
+            logger.error("could not authenticate to vault")
+            return
+        self.key_name = key_name
+        self.mount_point = path
+        logger.debug("Initialized vault_client: {}".format(self.vault_client))
 
     def vault_db_auth(self, path):
         try:

db_client_transform.py

@@ -64,22 +64,26 @@ def init_db(self, uri, prt, uname, pw, db):
 
     # Later we will check to see if this is None to see whether to use Vault or not
     def init_vault(self, addr, token, namespace, path, key_name, transform_path, transform_masking_path, ssn_role, ccn_role):
+        self.vault_client = None
         if not addr or not token:
             logger.warn('Skipping initialization...')
             return
-        else:
-            logger.warn("Connecting to vault server: {}".format(addr))
-            self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace)
-            logging.debug("Vault-token: {}".format(token))
-            self.key_name = key_name
-            self.mount_point = path
-            self.transform_mount_point = transform_path
-            self.transform_masking_mount_point = transform_masking_path
-            self.ssn_role = ssn_role
-            self.ccn_role = ccn_role
-            self.namespace = namespace
-            self.token = token
-            logger.debug("Initialized vault_client: {}".format(self.vault_client))
+        logger.warn("Connecting to vault server: {}".format(addr))
+        self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace, verify=False)
+        if not self.vault_client.is_authenticated():
+            self.vault_client = None
+            logger.error("could not authenticate to vault")
+            return
+        logging.debug("Vault-token: {}".format(token))
+        self.key_name = key_name
+        self.mount_point = path
+        self.transform_mount_point = transform_path
+        self.transform_masking_mount_point = transform_masking_path
+        self.ssn_role = ssn_role
+        self.ccn_role = ccn_role
+        self.namespace = namespace
+        self.token = token
+        logger.debug("Initialized vault_client: {}".format(self.vault_client))
 
     def vault_db_auth(self, path):
         try:
@@ -96,6 +100,8 @@ def encrypt(self, value):
             response = self.vault_client.secrets.transit.encrypt_data(
                 mount_point = self.mount_point,
                 name = self.key_name,
+
+
                 plaintext = base64.b64encode(value.encode()).decode('ascii')
             )
             logger.debug('Response: {}'.format(response))

nomad/app_transit_connect.hcl

@@ -50,7 +50,6 @@ job "dynamic-app" {
         volumes = [
           "local/config.ini:/usr/src/app/config/config.ini"
         ]
-
         ports = ["web"]
       }
 

nomad/app_transit_connect_traefik.hcl

@@ -1,7 +1,6 @@
 job "dynamic-app" {
   datacenters = ["dc1"]
   type        = "service"
-  namespace   = "demo"
 
   group "dynamic-app" {
     count = 1
@@ -23,7 +22,6 @@ job "dynamic-app" {
       change_signal = "SIGINT"
     }
 
-
     service {
       name = "dynamic-app"
       port = "8080"

nomad/mysql_connect.hcl

@@ -38,7 +38,6 @@ job "mysql-server" {
       }
 
       template {
-        env = true
         destination = "secrets/.envs"
         change_mode = "noop"
         env         = true

setup/main.tf

@@ -109,11 +109,11 @@ data "vault_policy_document" "nomad-dynamic-app" {
   }
   rule {
     path         = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.app.name}"
-    capabilities = ["read"]
+    capabilities = ["create", "update"]
   }
   rule {
     path         = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.app.name}"
-    capabilities = ["read"]
+    capabilities = ["create", "update"]
   }
 }