fix: refactoring example

Signed-off-by: Martin Buchleitner <[email protected]>
infralovers · Oct 24, 2024 · 5fc3be6 · 5fc3be6
1 parent 88010e8
commit 5fc3be6
Show file tree

Hide file tree

Showing 16 changed files with 312 additions and 44 deletions.
diff --git a/db_client.py b/db_client.py
@@ -64,12 +64,15 @@ def init_vault(self, addr, token, namespace, path, key_name):
         if not addr or not token:
             logger.warn('Skipping initialization...')
             return
-        else:
-            logger.warn("Connecting to vault server: {}".format(addr))
-            self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace)
-            self.key_name = key_name
-            self.mount_point = path
-            logger.debug("Initialized vault_client: {}".format(self.vault_client))
+        logger.warn("Connecting to vault server: {}".format(addr))
+        self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace, verify=False)
+        if not self.vault_client.is_authenticated():
+            self.vault_client = None
+            logger.error("could not authenticate to vault")
+            return
+        self.key_name = key_name
+        self.mount_point = path
+        logger.debug("Initialized vault_client: {}".format(self.vault_client))
 
     def vault_db_auth(self, path):
         try:

diff --git a/db_client_transform.py b/db_client_transform.py
@@ -64,22 +64,26 @@ def init_db(self, uri, prt, uname, pw, db):
 
     # Later we will check to see if this is None to see whether to use Vault or not
     def init_vault(self, addr, token, namespace, path, key_name, transform_path, transform_masking_path, ssn_role, ccn_role):
+        self.vault_client = None
         if not addr or not token:
             logger.warn('Skipping initialization...')
             return
-        else:
-            logger.warn("Connecting to vault server: {}".format(addr))
-            self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace)
-            logging.debug("Vault-token: {}".format(token))
-            self.key_name = key_name
-            self.mount_point = path
-            self.transform_mount_point = transform_path
-            self.transform_masking_mount_point = transform_masking_path
-            self.ssn_role = ssn_role
-            self.ccn_role = ccn_role
-            self.namespace = namespace
-            self.token = token
-            logger.debug("Initialized vault_client: {}".format(self.vault_client))
+        logger.warn("Connecting to vault server: {}".format(addr))
+        self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace, verify=False)
+        if not self.vault_client.is_authenticated():
+            self.vault_client = None
+            logger.error("could not authenticate to vault")
+            return
+        logging.debug("Vault-token: {}".format(token))
+        self.key_name = key_name
+        self.mount_point = path
+        self.transform_mount_point = transform_path
+        self.transform_masking_mount_point = transform_masking_path
+        self.ssn_role = ssn_role
+        self.ccn_role = ccn_role
+        self.namespace = namespace
+        self.token = token
+        logger.debug("Initialized vault_client: {}".format(self.vault_client))
 
     def vault_db_auth(self, path):
         try:
@@ -96,6 +100,8 @@ def encrypt(self, value):
             response = self.vault_client.secrets.transit.encrypt_data(
                 mount_point = self.mount_point,
                 name = self.key_name,
+
+
                 plaintext = base64.b64encode(value.encode()).decode('ascii')
             )
             logger.debug('Response: {}'.format(response))

diff --git a/nomad/app_dynamic.hcl b/nomad/app_dynamic.hcl
@@ -54,7 +54,9 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}

diff --git a/nomad/app_hardcoded.hcl b/nomad/app_hardcoded.hcl
@@ -49,9 +49,9 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
-    User = root
-    Password = super-duper-password
+    Database = app
+    User = app
+    Password = my-app-super-password
 EOF
       }
       resources {

diff --git a/nomad/app_static.hcl b/nomad/app_static.hcl
@@ -55,10 +55,10 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
     {{ with secret "dynamic-app/kv/database" }}
-    User = {{ .Data.username }}
-    Password = {{ .Data.password }}
+    Database = {{ .Data.data.database }}
+    User = {{ .Data.data.username }}
+    Password = {{ .Data.data.password }}
     {{ end }}
     [VAULT]
     Enabled = False        

diff --git a/nomad/app_transit.hcl b/nomad/app_transit.hcl
@@ -56,7 +56,9 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}

diff --git a/nomad/app_transit_connect.hcl b/nomad/app_transit_connect.hcl
@@ -50,7 +50,6 @@ job "dynamic-app" {
         volumes = [
           "local/config.ini:/usr/src/app/config/config.ini"
         ]
-
         ports = ["web"]
       }
 
@@ -64,7 +63,9 @@ job "dynamic-app" {
     Address = 127.0.0.1
     Port = 3306
     
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}

diff --git a/nomad/app_transit_connect_traefik.hcl b/nomad/app_transit_connect_traefik.hcl
@@ -1,7 +1,6 @@
 job "dynamic-app" {
   datacenters = ["dc1"]
   type        = "service"
-  namespace   = "demo"
 
   group "dynamic-app" {
     count = 1
@@ -15,9 +14,6 @@ job "dynamic-app" {
 
     network {
       mode = "bridge"
-      // port "web" {
-      //   to = 8080
-      // }
     }
 
     vault {
@@ -26,14 +22,13 @@ job "dynamic-app" {
       change_signal = "SIGINT"
     }
 
-
     service {
       name = "dynamic-app"
       port = "8080"
       tags = ["traefik.enable=true",
         "traefik.http.routers.dynamic-app.rule=Host(`dynamic-app.127.0.0.1.nip.io`)",
-        "traefik.http.routers.dynamic-app.entrypoints=http",
-        "traefik.http.routers.dynamic-app.tls=false",
+        "traefik.http.routers.dynamic-app.entrypoints=https",
+        "traefik.http.routers.dynamic-app.tls=true",
         "traefik.connsulcatalog.connect=true"
       ]
       connect {
@@ -78,7 +73,9 @@ job "dynamic-app" {
     Address = 127.0.0.1
     Port = 3306
     
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}

diff --git a/nomad/mysql.hcl b/nomad/mysql.hcl
@@ -22,11 +22,17 @@ job "mysql-server" {
 
       env = {
         "MYSQL_ROOT_PASSWORD" = "super-duper-password"
+        "MYSQL_DATABASE" = "app"
+        "MYSQL_USER" = "app"
+        "MYSQL_PASSWORD" = "my-app-super-password"
       }
 
       config {
         image = "mysql:9"
         ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
       }
 
       resources {

diff --git a/nomad/mysql_connect.hcl b/nomad/mysql_connect.hcl
@@ -13,6 +13,12 @@ job "mysql-server" {
       }
     }
 
+    vault {
+      policies      = ["nomad-dynamic-app", "nomad-mysql"]
+      change_mode   = "signal"
+      change_signal = "SIGINT"
+    }
+
     restart {
       attempts = 10
       interval = "5m"
@@ -23,16 +29,30 @@ job "mysql-server" {
     task "mysql-server" {
       driver = "docker"
 
-      env = {
-        "MYSQL_ROOT_PASSWORD" = "super-duper-password"
-      }
-
       config {
         image = "mysql:9"
-
         ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
       }
 
+      template {
+        destination = "secrets/.envs"
+        change_mode = "noop"
+        env         = true
+        data        = <<EOF
+{{ with secret "dynamic-app/kv/database" }}
+MYSQL_DATABASE = "{{ .Data.data.database }}"
+MYSQL_USER = "{{ .Data.data.username }}"
+MYSQL_PASSWORD = "{{ .Data.data.password }}"
+{{ end }}
+
+{{ with secret "dynamic-app/kv/database_root" }}
+MYSQL_ROOT_PASSWORD = "{{ .Data.data.password }}"
+{{ end }}
+EOF
+      }
       resources {
         cpu    = 500
         memory = 500

diff --git a/nomad/mysql_static.hcl b/nomad/mysql_static.hcl
@@ -0,0 +1,65 @@
+job "mysql-server" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "mysql-server" {
+    count = 1
+
+    vault {
+      policies      = ["nomad-dynamic-app", "nomad-mysql"]
+      change_mode   = "signal"
+      change_signal = "SIGINT"
+    }
+
+    service {
+      name = "mysql-server"
+      port = "db"
+    }
+
+    restart {
+      attempts = 10
+      interval = "5m"
+      delay    = "25s"
+      mode     = "delay"
+    }
+
+    task "mysql-server" {
+      driver = "docker"
+
+      config {
+        image = "mysql:9"
+        ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
+      }
+      template {
+        destination = "secrets/.envs"
+        change_mode = "noop"
+        env         = true
+        data        = <<EOF
+{{ with secret "dynamic-app/kv/database" }}
+MYSQL_DATABASE = "{{ .Data.data.database }}"
+MYSQL_USER = "{{ .Data.data.username }}"
+MYSQL_PASSWORD = "{{ .Data.data.password }}"
+{{ end }}
+
+{{ with secret "dynamic-app/kv/database_root" }}
+MYSQL_ROOT_PASSWORD = "{{ .Data.data.password }}"
+{{ end }}
+EOF
+      }
+      resources {
+        cpu    = 500
+        memory = 500
+      }
+    }
+    network {
+      mode = "bridge"
+      port "db" {
+        static = 3306
+        to     = 3306
+      }
+    }
+  }
+}
diff --git a/nomad/whoami.hcl b/nomad/whoami.hcl
@@ -1,7 +1,6 @@
 job "whoami" {
   datacenters = ["dc1"]
   type        = "service"
-  namespace   = "demo"
 
   group "whoami" {
     count = 1

diff --git a/setup/.terraform.lock.hcl b/setup/.terraform.lock.hcl