From 5fc3be6ef4d2dbfef9b7e873dc08b34bf3a99678 Mon Sep 17 00:00:00 2001
From: Martin Buchleitner <mbuchleitner@infralovers.com>
Date: Thu, 24 Oct 2024 09:38:19 +0200
Subject: [PATCH] fix: refactoring example

Signed-off-by: Martin Buchleitner <mbuchleitner@infralovers.com>
---
 db_client.py                          |  15 +--
 db_client_transform.py                |  32 +++---
 nomad/app_dynamic.hcl                 |   4 +-
 nomad/app_hardcoded.hcl               |   6 +-
 nomad/app_static.hcl                  |   6 +-
 nomad/app_transit.hcl                 |   4 +-
 nomad/app_transit_connect.hcl         |   5 +-
 nomad/app_transit_connect_traefik.hcl |  13 +--
 nomad/mysql.hcl                       |   6 ++
 nomad/mysql_connect.hcl               |  30 +++++-
 nomad/mysql_static.hcl                |  65 +++++++++++++
 nomad/whoami.hcl                      |   1 -
 setup/.terraform.lock.hcl             |  21 ++++
 setup/main.tf                         | 134 ++++++++++++++++++++++++++
 setup/terraform.tfvars                |   4 +
 setup/vault_kv.sh                     |  10 +-
 16 files changed, 312 insertions(+), 44 deletions(-)
 create mode 100644 nomad/mysql_static.hcl
 create mode 100644 setup/.terraform.lock.hcl
 create mode 100644 setup/main.tf
 create mode 100644 setup/terraform.tfvars

diff --git a/db_client.py b/db_client.py
index 5b3a823..7162864 100644
--- a/db_client.py
+++ b/db_client.py
@@ -64,12 +64,15 @@ def init_vault(self, addr, token, namespace, path, key_name):
         if not addr or not token:
             logger.warn('Skipping initialization...')
             return
-        else:
-            logger.warn("Connecting to vault server: {}".format(addr))
-            self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace)
-            self.key_name = key_name
-            self.mount_point = path
-            logger.debug("Initialized vault_client: {}".format(self.vault_client))
+        logger.warn("Connecting to vault server: {}".format(addr))
+        self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace, verify=False)
+        if not self.vault_client.is_authenticated():
+            self.vault_client = None
+            logger.error("could not authenticate to vault")
+            return
+        self.key_name = key_name
+        self.mount_point = path
+        logger.debug("Initialized vault_client: {}".format(self.vault_client))
 
     def vault_db_auth(self, path):
         try:
diff --git a/db_client_transform.py b/db_client_transform.py
index d9609e0..1434188 100644
--- a/db_client_transform.py
+++ b/db_client_transform.py
@@ -64,22 +64,26 @@ def init_db(self, uri, prt, uname, pw, db):
 
     # Later we will check to see if this is None to see whether to use Vault or not
     def init_vault(self, addr, token, namespace, path, key_name, transform_path, transform_masking_path, ssn_role, ccn_role):
+        self.vault_client = None
         if not addr or not token:
             logger.warn('Skipping initialization...')
             return
-        else:
-            logger.warn("Connecting to vault server: {}".format(addr))
-            self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace)
-            logging.debug("Vault-token: {}".format(token))
-            self.key_name = key_name
-            self.mount_point = path
-            self.transform_mount_point = transform_path
-            self.transform_masking_mount_point = transform_masking_path
-            self.ssn_role = ssn_role
-            self.ccn_role = ccn_role
-            self.namespace = namespace
-            self.token = token
-            logger.debug("Initialized vault_client: {}".format(self.vault_client))
+        logger.warn("Connecting to vault server: {}".format(addr))
+        self.vault_client = hvac.Client(url=addr, token=token, namespace=namespace, verify=False)
+        if not self.vault_client.is_authenticated():
+            self.vault_client = None
+            logger.error("could not authenticate to vault")
+            return
+        logging.debug("Vault-token: {}".format(token))
+        self.key_name = key_name
+        self.mount_point = path
+        self.transform_mount_point = transform_path
+        self.transform_masking_mount_point = transform_masking_path
+        self.ssn_role = ssn_role
+        self.ccn_role = ccn_role
+        self.namespace = namespace
+        self.token = token
+        logger.debug("Initialized vault_client: {}".format(self.vault_client))
 
     def vault_db_auth(self, path):
         try:
@@ -96,6 +100,8 @@ def encrypt(self, value):
             response = self.vault_client.secrets.transit.encrypt_data(
                 mount_point = self.mount_point,
                 name = self.key_name,
+                
+                
                 plaintext = base64.b64encode(value.encode()).decode('ascii')
             )
             logger.debug('Response: {}'.format(response))
diff --git a/nomad/app_dynamic.hcl b/nomad/app_dynamic.hcl
index 91b68ed..0728322 100644
--- a/nomad/app_dynamic.hcl
+++ b/nomad/app_dynamic.hcl
@@ -54,7 +54,9 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}
diff --git a/nomad/app_hardcoded.hcl b/nomad/app_hardcoded.hcl
index bbb2170..db0b4cc 100644
--- a/nomad/app_hardcoded.hcl
+++ b/nomad/app_hardcoded.hcl
@@ -49,9 +49,9 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
-    User = root
-    Password = super-duper-password
+    Database = app
+    User = app
+    Password = my-app-super-password
 EOF
       }
       resources {
diff --git a/nomad/app_static.hcl b/nomad/app_static.hcl
index d738e65..dfccba3 100644
--- a/nomad/app_static.hcl
+++ b/nomad/app_static.hcl
@@ -55,10 +55,10 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
     {{ with secret "dynamic-app/kv/database" }}
-    User = {{ .Data.username }}
-    Password = {{ .Data.password }}
+    Database = {{ .Data.data.database }}
+    User = {{ .Data.data.username }}
+    Password = {{ .Data.data.password }}
     {{ end }}
     [VAULT]
     Enabled = False        
diff --git a/nomad/app_transit.hcl b/nomad/app_transit.hcl
index 8f95828..1612829 100644
--- a/nomad/app_transit.hcl
+++ b/nomad/app_transit.hcl
@@ -56,7 +56,9 @@ job "dynamic-app" {
     Port = {{ .Port }}
     {{end}}
 
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}
diff --git a/nomad/app_transit_connect.hcl b/nomad/app_transit_connect.hcl
index ff8621e..2a705d7 100644
--- a/nomad/app_transit_connect.hcl
+++ b/nomad/app_transit_connect.hcl
@@ -50,7 +50,6 @@ job "dynamic-app" {
         volumes = [
           "local/config.ini:/usr/src/app/config/config.ini"
         ]
-
         ports = ["web"]
       }
 
@@ -64,7 +63,9 @@ job "dynamic-app" {
     Address = 127.0.0.1
     Port = 3306
     
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}
diff --git a/nomad/app_transit_connect_traefik.hcl b/nomad/app_transit_connect_traefik.hcl
index 5c5abec..2e750ca 100644
--- a/nomad/app_transit_connect_traefik.hcl
+++ b/nomad/app_transit_connect_traefik.hcl
@@ -1,7 +1,6 @@
 job "dynamic-app" {
   datacenters = ["dc1"]
   type        = "service"
-  namespace   = "demo"
 
   group "dynamic-app" {
     count = 1
@@ -15,9 +14,6 @@ job "dynamic-app" {
 
     network {
       mode = "bridge"
-      // port "web" {
-      //   to = 8080
-      // }
     }
 
     vault {
@@ -26,14 +22,13 @@ job "dynamic-app" {
       change_signal = "SIGINT"
     }
 
-
     service {
       name = "dynamic-app"
       port = "8080"
       tags = ["traefik.enable=true",
         "traefik.http.routers.dynamic-app.rule=Host(`dynamic-app.127.0.0.1.nip.io`)",
-        "traefik.http.routers.dynamic-app.entrypoints=http",
-        "traefik.http.routers.dynamic-app.tls=false",
+        "traefik.http.routers.dynamic-app.entrypoints=https",
+        "traefik.http.routers.dynamic-app.tls=true",
         "traefik.connsulcatalog.connect=true"
       ]
       connect {
@@ -78,7 +73,9 @@ job "dynamic-app" {
     Address = 127.0.0.1
     Port = 3306
     
-    Database = my_app
+    {{ with secret "dynamic-app/kv/database" }}
+    Database = {{ .Data.data.database }}
+    {{ end }}
     {{ with secret "dynamic-app/db/creds/app" }}
     User = {{ .Data.username }}
     Password = {{ .Data.password }}
diff --git a/nomad/mysql.hcl b/nomad/mysql.hcl
index 14d5e5d..8037e44 100644
--- a/nomad/mysql.hcl
+++ b/nomad/mysql.hcl
@@ -22,11 +22,17 @@ job "mysql-server" {
 
       env = {
         "MYSQL_ROOT_PASSWORD" = "super-duper-password"
+        "MYSQL_DATABASE" = "app"
+        "MYSQL_USER" = "app"
+        "MYSQL_PASSWORD" = "my-app-super-password"
       }
 
       config {
         image = "mysql:9"
         ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
       }
 
       resources {
diff --git a/nomad/mysql_connect.hcl b/nomad/mysql_connect.hcl
index 408b1e9..287559c 100644
--- a/nomad/mysql_connect.hcl
+++ b/nomad/mysql_connect.hcl
@@ -13,6 +13,12 @@ job "mysql-server" {
       }
     }
 
+    vault {
+      policies      = ["nomad-dynamic-app", "nomad-mysql"]
+      change_mode   = "signal"
+      change_signal = "SIGINT"
+    }
+
     restart {
       attempts = 10
       interval = "5m"
@@ -23,16 +29,30 @@ job "mysql-server" {
     task "mysql-server" {
       driver = "docker"
 
-      env = {
-        "MYSQL_ROOT_PASSWORD" = "super-duper-password"
-      }
-
       config {
         image = "mysql:9"
-
         ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
       }
 
+      template {
+        destination = "secrets/.envs"
+        change_mode = "noop"
+        env         = true
+        data        = <<EOF
+{{ with secret "dynamic-app/kv/database" }}
+MYSQL_DATABASE = "{{ .Data.data.database }}"
+MYSQL_USER = "{{ .Data.data.username }}"
+MYSQL_PASSWORD = "{{ .Data.data.password }}"
+{{ end }}
+
+{{ with secret "dynamic-app/kv/database_root" }}
+MYSQL_ROOT_PASSWORD = "{{ .Data.data.password }}"
+{{ end }}
+EOF
+      }
       resources {
         cpu    = 500
         memory = 500
diff --git a/nomad/mysql_static.hcl b/nomad/mysql_static.hcl
new file mode 100644
index 0000000..953f30b
--- /dev/null
+++ b/nomad/mysql_static.hcl
@@ -0,0 +1,65 @@
+job "mysql-server" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "mysql-server" {
+    count = 1
+
+    vault {
+      policies      = ["nomad-dynamic-app", "nomad-mysql"]
+      change_mode   = "signal"
+      change_signal = "SIGINT"
+    }
+
+    service {
+      name = "mysql-server"
+      port = "db"
+    }
+
+    restart {
+      attempts = 10
+      interval = "5m"
+      delay    = "25s"
+      mode     = "delay"
+    }
+
+    task "mysql-server" {
+      driver = "docker"
+
+      config {
+        image = "mysql:9"
+        ports = ["db"]
+        volumes = [
+          "/srv/mysql/:/var/lib/mysql"
+        ]
+      }
+      template {
+        destination = "secrets/.envs"
+        change_mode = "noop"
+        env         = true
+        data        = <<EOF
+{{ with secret "dynamic-app/kv/database" }}
+MYSQL_DATABASE = "{{ .Data.data.database }}"
+MYSQL_USER = "{{ .Data.data.username }}"
+MYSQL_PASSWORD = "{{ .Data.data.password }}"
+{{ end }}
+
+{{ with secret "dynamic-app/kv/database_root" }}
+MYSQL_ROOT_PASSWORD = "{{ .Data.data.password }}"
+{{ end }}
+EOF
+      }
+      resources {
+        cpu    = 500
+        memory = 500
+      }
+    }
+    network {
+      mode = "bridge"
+      port "db" {
+        static = 3306
+        to     = 3306
+      }
+    }
+  }
+}
diff --git a/nomad/whoami.hcl b/nomad/whoami.hcl
index ea27a2b..44ce7e5 100644
--- a/nomad/whoami.hcl
+++ b/nomad/whoami.hcl
@@ -1,7 +1,6 @@
 job "whoami" {
   datacenters = ["dc1"]
   type        = "service"
-  namespace   = "demo"
 
   group "whoami" {
     count = 1
diff --git a/setup/.terraform.lock.hcl b/setup/.terraform.lock.hcl
new file mode 100644
index 0000000..b4132cb
--- /dev/null
+++ b/setup/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version = "4.4.0"
+  hashes = [
+    "h1:iYUiW9CZ+Cea0TTX9iQSfXlqB2ex713pmno1jSTlLRQ=",
+    "zh:12758c5afc4160355c55e808f3d0e960a69ef285ddd57f29c3a775ac63c76135",
+    "zh:190c4fbb620bbc07ff850119e17ffbca9f4d81968e69436024fcfb20c69d177e",
+    "zh:2668d3f37e41a539ddca8507a2f8100711cbe54fd7de6d9e82e191c456999674",
+    "zh:59cf5fe3a5cff561c9d15b1b0748fdaeee8966537a5121a20178a1dd265cc22c",
+    "zh:6bf7107b56132281b05932aa8fce8851cd2351d2f6c7d0de4475b5dabf755d4f",
+    "zh:77ee85a529e9ae519aa63950960bd2c2056dd622ad32b08731cb5237e28a9200",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:c3ff4d9c123cc23f95813800c4cea69d1fab29c65b96de4a5932fc328275f527",
+    "zh:c5a6dd8530f720757861da38c16da6577f30cc00423471f8bcc5682c1852027f",
+    "zh:c5acd773d7d24a6116866bf0e4449a3be6849cd6bd2f87141289d47983a0f777",
+    "zh:ede501e9979a586be279b63e0cf5ce69fa89780e37791fe87d8b4283e3716c96",
+    "zh:f5f6ae50a23a184d126832d688380e22311fa1b0192723507a790e57917c3e78",
+  ]
+}
diff --git a/setup/main.tf b/setup/main.tf
new file mode 100644
index 0000000..fcfee30
--- /dev/null
+++ b/setup/main.tf
@@ -0,0 +1,134 @@
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    vault = {
+      source = "hashicorp/vault"
+    }
+  }
+}
+
+provider "vault" {
+  skip_tls_verify = true
+}
+
+variable "prefix" {
+  type    = string
+}
+variable "app_database_password" {
+  type      = string
+  sensitive = true
+}
+variable "app_root_password" {
+  type      = string
+  sensitive = true
+}
+variable "mysql_server"  {
+    type = string
+}
+
+resource "vault_mount" "kv" {
+  path = "${var.prefix}/kv"
+  type = "kv-v2"
+}
+
+resource "vault_kv_secret_v2" "app" {
+  mount = vault_mount.kv.path
+  name  = "database"
+  data_json = jsonencode(
+    {
+      database = "app",
+      username = "app",
+      password = var.app_database_password
+    }
+  )
+}
+resource "vault_kv_secret_v2" "admin" {
+  mount = vault_mount.kv.path
+  name  = "database_root"
+  data_json = jsonencode(
+    {
+      username = "root",
+      password = var.app_root_password
+    }
+  )
+}
+resource "vault_mount" "db" {
+  path = "${var.prefix}/db"
+  type = "database"
+}
+
+resource "vault_database_secret_backend_connection" "mysql" {
+  backend       = vault_mount.db.path
+  name          = "mysql"
+  allowed_roles = [ "*" ]
+
+  mysql {
+    connection_url = "{{username}}:{{password}}@tcp(${var.mysql_server}:3306)/"
+    username       = "root"
+    password       = var.app_root_password
+  }
+}
+
+resource "vault_database_secret_backend_role" "app" {
+  backend             = vault_mount.db.path
+  name                = "app"
+  db_name             = vault_database_secret_backend_connection.mysql.name
+  creation_statements = ["CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT ALL ON app.* TO '{{name}}'@'%';"]
+  default_ttl         = 3600
+  max_ttl             = 7200
+}
+
+resource "vault_database_secret_backend_role" "admin" {
+  backend             = vault_mount.db.path
+  name                = "admin"
+  db_name             = vault_database_secret_backend_connection.mysql.name
+  creation_statements = ["CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT ALL ON *.* TO '{{name}}'@'%';"]
+  default_ttl         = 900
+  max_ttl             = 3600
+}
+
+resource "vault_mount" "transit" {
+  path = "${var.prefix}/transit"
+  type = "transit"
+}
+
+resource "vault_transit_secret_backend_key" "app" {
+  backend = vault_mount.transit.path
+  name    = "app"
+}
+
+data "vault_policy_document" "nomad-dynamic-app" {
+
+  rule {
+    path         = "${vault_mount.kv.path}/data/${vault_kv_secret_v2.app.name}"
+    capabilities = ["read"]
+  }
+  rule {
+    path         = "${vault_mount.db.path}/creds/${vault_database_secret_backend_role.app.name}"
+    capabilities = ["read"]
+  }
+  rule {
+    path         = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.app.name}"
+    capabilities = ["create", "update"]
+  }
+  rule {
+    path         = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.app.name}"
+    capabilities = ["create", "update"]
+  }
+}
+
+data "vault_policy_document" "nomad-mysql" {
+  rule {
+    path         = "${vault_mount.kv.path}/data/database_root"
+    capabilities = ["read"]
+  }
+}
+
+resource "vault_policy" "nomad-dynamic-app" {
+  name   = "nomad-dynamic-app"
+  policy = data.vault_policy_document.nomad-dynamic-app.hcl
+}
+resource "vault_policy" "nomad-mysql" {
+  name   = "nomad-mysql"
+  policy = data.vault_policy_document.nomad-mysql.hcl
+}
\ No newline at end of file
diff --git a/setup/terraform.tfvars b/setup/terraform.tfvars
new file mode 100644
index 0000000..0f489bb
--- /dev/null
+++ b/setup/terraform.tfvars
@@ -0,0 +1,4 @@
+app_database_password = "my-app-super-password"
+app_root_password = "super-duper-password"
+mysql_server = "192.168.199.51"
+prefix = "dynamic-app"
\ No newline at end of file
diff --git a/setup/vault_kv.sh b/setup/vault_kv.sh
index a861e42..b22a061 100755
--- a/setup/vault_kv.sh
+++ b/setup/vault_kv.sh
@@ -21,7 +21,8 @@ fi
 if [ "$(vault secrets list  | jq  ' . | keys' | grep "$VAULT_MOUNT" | wc -l  | tr -d ' ')" -eq 0 ]; then
   vault secrets enable -path=$VAULT_MOUNT kv 
 fi
-vault kv put $VAULT_MOUNT/database username="root" password="super-duper-password"
+vault kv put $VAULT_MOUNT/database username="app" password="my-app-super-password" database="app"
+vault kv put $VAULT_MOUNT/database_root username="root" password="super-duper-password"
 
 if [ -n "$(vault policy list | grep nomad-dynamic-app)" ]; then
   exit 0
@@ -32,3 +33,10 @@ path \"$VAULT_MOUNT/database\" {
   capabilities = [ \"read\" ] 
 }
 " | vault policy write nomad-dynamic-app - 
+
+
+echo "
+path \"$VAULT_MOUNT/database_root\" { 
+  capabilities = [ \"read\" ] 
+}
+" | vault policy write nomad-mysql -