feat: vault secret in droneCI

nomad-job/drone-runner.nomad

@@ -0,0 +1,48 @@
+
+job "drone-runner" {
+  datacenters = ["homelab"]
+  priority = 50
+  type = "system"
+  meta {
+    forcedeploy = "0"
+  }
+
+  group "drone-runner"{
+    vault{
+      policies= ["droneci"]
+
+    }
+  
+    task "drone-runner" {
+      driver = "docker"
+      config {
+        image = "drone/drone-runner-docker:latest"
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock",
+        ]
+      }
+      env {
+
+      }
+      template {
+        data        = <<EOH
+          {{ with secret "secrets/data/nomad/droneCI"}}
+          DRONE_RPC_HOST="drone.ducamps.win"
+          DRONE_RPC_PROTO="https"
+          DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
+          DRONE_SECRET_PLUGIN_TOKEN={{ .Data.data.DRONE_VAULT_SECRET}}
+          {{ end }}
+          {{- range service "drone-vault" }}
+          DRONE_SECRET_PLUGIN_ENDPOINT=http://{{ .Address }}:{{ .Port }}
+          {{- end}}
+          EOH
+        destination = "local/drone-runner.env"
+        env         = true
+      }
+      resources {
+        memory = 50
+      }
+    }
+
+  }
+}

nomad-job/drone.nomad

@@ -12,6 +12,9 @@ job "drone" {
       port "http" {
         to = 80
       }
+      port "vault" {
+
+      }
     }
     constraint {
       attribute = "${attr.cpu.arch}"
@@ -66,73 +69,43 @@ job "drone" {
           DRONE_DATABASE_DATASOURCE="postgres://drone:{{ .Data.data.password }}@db1.ducamps.win:5432/drone?sslmode=disable"
           {{end}}
           EOH
-        destination = "local/drone.env"
+        destination = "secrets/drone.env"
         env         = true
       }
       resources {
         memory = 100
       }
     }
-
+    task "vault" {
-    task "drone-runner" {
       driver = "docker"
-      config {
+      service {
-        image = "drone/drone-runner-docker:latest"
+        name = "drone-vault"
-        volumes = [
+        port = "vault"
-          "/var/run/docker.sock:/var/run/docker.sock",
-        ]
       }
-      env {
+      config {
-
+        ports = ["vault"]
+        image = "drone/vault:latest"
       }
       template {
         data= <<EOH
+        DRONE_DEBUG=true
         {{ with secret "secrets/data/nomad/droneCI"}}
-          DRONE_RPC_HOST="drone.ducamps.win"
+        DRONE_SECRET= {{ .Data.data.DRONE_VAULT_SECRET}}
-          DRONE_RPC_PROTO="https"
+        VAULT_APPROLE_ID=  {{ .Data.data.approleID}}
-          DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
+        VAULT_APPROLE_SECRET=  {{ .Data.data.approleSecretID}}
+
         {{end}}
+        VAULT_ADDR=http://active.vault.service.consul:8200
+        VAULT_AUTH_TYPE=approle
+        VAULT_TOKEN_TTL=72h
+        VAULT_TOKEN_RENEWAL=24h
         EOH
-        destination = "local/drone-runner.env"
+        destination = "secrets/drone-vault.env"
         env = true
-      }
-      resources {
-        memory = 50
-      }
-    }
 
       }
-  group "Drone-ARM-Runner" {
-    constraint {
-      attribute = "${attr.cpu.arch}"
-      value     = "arm"
-    }
-    task "drone-ARM-runner" {
-      driver = "docker"
-      config {
-        image = "drone/drone-runner-docker:1.8.2-linux-arm"
-        volumes = [
-          "/var/run/docker.sock:/var/run/docker.sock",
-        ]
-      }
-      env {
 
-      }
-      template {
-        data        = <<EOH
-          {{ with secret "secrets/data/nomad/droneCI"}}
-          DRONE_RPC_HOST="drone.ducamps.win"
-          DRONE_RPC_PROTO="https"
-          DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
-          {{ end }}
-          EOH
-        destination = "local/drone-runner.env"
-        env         = true
-      }
-      resources {
-        memory = 50
-      }
-    }
 
     }
   }
+}

vault/approle.tf

@@ -0,0 +1,31 @@
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+}
+
+resource "vault_approle_auth_backend_role" "drone-vault" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "drone-vault"
+  token_policies = ["drone-vault"]
+}
+
+
+data "vault_approle_auth_backend_role_id" "drone-vault" {
+    backend   = vault_auth_backend.approle.path
+    role_name = vault_approle_auth_backend_role.drone-vault.role_name
+}
+output "drone-vault-role-id" {
+      value = data.vault_approle_auth_backend_role_id.drone-vault.role_id
+}
+
+data "vault_policy_document" "drone-vault" {
+  rule {
+      path = "secrets/data/droneCI/*"
+      capabilities = ["read", "list"]
+   }
+
+}
+
+resource "vault_policy" "drone-vault" {
+    name = "drone-vault"
+    policy = data.vault_policy_document.nomad_server_policy.hcl
+}