feat: add secretID automaticaly in KV for DroneCI
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
510e1f14cb
commit
0ecb686bfc
@ -91,9 +91,10 @@ job "drone" {
|
||||
DRONE_DEBUG=true
|
||||
{{ with secret "secrets/data/nomad/droneCI"}}
|
||||
DRONE_SECRET= {{ .Data.data.DRONE_VAULT_SECRET}}
|
||||
{{end}}
|
||||
{{ with secret "secrets/data/nomad/droneCI/approle"}}
|
||||
VAULT_APPROLE_ID= {{ .Data.data.approleID}}
|
||||
VAULT_APPROLE_SECRET= {{ .Data.data.approleSecretID}}
|
||||
|
||||
{{end}}
|
||||
VAULT_ADDR=http://active.vault.service.consul:8200
|
||||
VAULT_AUTH_TYPE=approle
|
||||
|
@ -29,3 +29,21 @@ resource "vault_policy" "drone-vault" {
|
||||
name = "drone-vault"
|
||||
policy = data.vault_policy_document.nomad_server_policy.hcl
|
||||
}
|
||||
|
||||
|
||||
resource "vault_approle_auth_backend_role_secret_id" "drone-vault" {
|
||||
backend = vault_auth_backend.approle.path
|
||||
role_name = vault_approle_auth_backend_role.drone-vault.role_name
|
||||
}
|
||||
|
||||
|
||||
resource "vault_kv_secret_v2" "drone-vault" {
|
||||
mount = vault_mount.kvv2-secret.path
|
||||
name = "nomad/droneCI/approle"
|
||||
data_json = jsonencode(
|
||||
{
|
||||
approleID = data.vault_approle_auth_backend_role_id.drone-vault.role_id,
|
||||
approleSecretID = vault_approle_auth_backend_role_secret_id.drone-vault.secret_id
|
||||
}
|
||||
)
|
||||
}
|
||||
|
@ -47,6 +47,10 @@ data "vault_policy_document" "nomad_jobs" {
|
||||
path = "secrets/data/nomad/${each.key}"
|
||||
capabilities = ["read"]
|
||||
}
|
||||
rule {
|
||||
path = "secrets/data/nomad/${each.key}/*"
|
||||
capabilities = ["read"]
|
||||
}
|
||||
rule {
|
||||
path = "secrets/data/database/${each.key}"
|
||||
capabilities = ["read"]
|
||||
|
Loading…
Reference in New Issue
Block a user