Merge pull request #47 from CodeNow/SAN-6195-create-vault-token

San 6195 create vault token
CodeNow · May 18, 2017 · 616010e · 616010e
2 parents 38fac85 + 545469f
commit 616010e
Show file tree

Hide file tree

Showing 10 changed files with 120 additions and 99 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,7 +2,7 @@ npm-debug.log
 consul-resources/template-config.hcl
 consul-resources/vault/vault.hcl
 hosts-registry.txt
-util/get-org-id.sh
+util/get-aws-creds.sh
 consul-resources/vault/**/auth-token
 consul-resources/vault/**/token-01
 consul-resources/vault/**/token-02

diff --git a/consul-resources/templates/get-aws-creds.sh.ctmpl b/consul-resources/templates/get-aws-creds.sh.ctmpl
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+
+{{ with vault "aws_1h/creds/dock-init" }}
+export AWS_ACCESS_KEY="{{ .Data.access_key }}"
+export AWS_SECRET_KEY="{{ .Data.secret_key  }}"
+{{ end }}
diff --git a/consul-resources/templates/get-org-tag.sh.ctmpl b/consul-resources/templates/get-org-tag.sh.ctmpl
diff --git a/consul-resources/templates/registry_policy.tmpl b/consul-resources/templates/registry_policy.tmpl
@@ -0,0 +1,3 @@
+path "secret/organization/{{bpid}}/*" {
+  policy = "read"
+}
diff --git a/init.sh b/init.sh
@@ -33,11 +33,25 @@ else
   export VAULT_HOSTNAME
 fi
 
+if [ -z "${USER_VAULT_PORT+x}" ]; then
+  export USER_VAULT_PORT=8200
+else
+  export USER_VAULT_PORT
+fi
+
+if [ -z "${USER_VAULT_HOSTNAME+x}" ]; then
+  export USER_VAULT_HOSTNAME=$USER_VAULT_HOSTNAME
+else
+  export USER_VAULT_HOSTNAME
+fi
+
+
 export DOCKER_NETWORK=172.17.0.0/16
 
 source "${DOCK_INIT_BASE}/lib/consul.sh"
 source "${DOCK_INIT_BASE}/lib/aws.sh"
 source "${DOCK_INIT_BASE}/lib/dock.sh"
+source "${DOCK_INIT_BASE}/lib/vault.sh"
 source "${DOCK_INIT_BASE}/lib/container.sh"
 source "${DOCK_INIT_BASE}/lib/iptables.sh"
 source "${DOCK_INIT_BASE}/lib/cleanup.sh"
@@ -50,9 +64,10 @@ main() {
   consul::get_environment
   consul::configure_consul_template
   dock::generate_certs
-  aws::get_org_id
+  aws::get_org_ids
   dock::set_hostname
   dock::set_config_org
+  vault::store_private_registry_token
   container::start
   # rules must be run after docker has started
   iptables::run_rules

diff --git a/lib/aws.sh b/lib/aws.sh
@@ -8,64 +8,52 @@ source "${DOCK_INIT_BASE}/lib/util/halter.sh"
 # @author Ryan Sandor Richards
 # @module aws
 
-# Backoff routine that attempts to fetch the dock's org id from EC2 tags
-aws::fetch_org_id_from_tags() {
-  local attempt=${1}
+# get aws creds for these scripts...
+aws::get_aws_creds() {
+  # Generate the org-tag fetching script
+  rollbar::fatal_trap \
+    "Dock-Init: Failed to Render Org Script" \
+    "Consule-Template was unable to realize the given template."
 
-  log::info 'Attempting to get org id...'
-  data='{"attempt":'"${attempt}"'}'
+  ORG_SCRIPT=$DOCK_INIT_BASE/util/get-aws-creds.sh
+
+  local config="$DOCK_INIT_BASE/consul-resources/template-config.hcl"
+  local template="$DOCK_INIT_BASE"
+  template+="/consul-resources/templates/get-aws-creds.sh.ctmpl:$ORG_SCRIPT"
+
+  consul-template -config="${config}" -once -template="${template}"
 
-  rollbar::warning_trap \
-    "Dock-Init: Cannot Fetch Org" \
-    "Attempting to get the Org Tag from AWS and failing." \
-    "$data"
-  ORG_ID=$(bash "$ORG_SCRIPT")
-  log::trace "Script Output: $ORG_ID"
   rollbar::clear_trap
+  # give amazon a chance to get the auth
+  sleep 5
 
-  if [[ "$ORG_ID" != "" ]]; then
-    # Assume first value in host_tags comma separated list is org ID...
-    ORG_ID=$(echo "$ORG_ID" | cut -d, -f 1)
-    export ORG_ID
-    return 0
-  else
-    # report the attempt to rollbar, since we don't want this to always fail
-    rollbar::report_warning \
-      "Dock-Init: Failed to Fetch Org" \
-      "Org Script returned an empty string. Retrying."
-    return 1
-  fi
+  source "${DOCK_INIT_BASE}/util/get-aws-creds.sh"
 }
 
 # Fetches the org tags from EC2 and sets it to the `ORG_ID` environment variable
-aws::get_org_id() {
+aws::get_org_ids() {
   log::info "Setting Github Org ID"
 
   # Generate the org-tag fetching script
   rollbar::fatal_trap \
     "Dock-Init: Failed to Render Org Script" \
     "Consule-Template was unable to realize the given template."
   if [ -z ${AWS_ACCESS_KEY+x} ] || [ -z ${AWS_SECRET_KEY+x} ]; then
-    ORG_SCRIPT=$DOCK_INIT_BASE/util/get-org-id.sh
-
-    local config="$DOCK_INIT_BASE/consul-resources/template-config.hcl"
-    local template="$DOCK_INIT_BASE"
-    template+="/consul-resources/templates/get-org-tag.sh.ctmpl:$ORG_SCRIPT"
-
-    consul-template -config="${config}" -once -template="${template}"
+    backoff aws::get_aws_creds
+  fi
 
-    rollbar::clear_trap
+  EC2_HOME=/usr/local/ec2
+  export EC2_HOME
 
-    # give amazon a chance to get the auth
-    sleep 5
+  JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64/jre
+  export JAVA_HOME
 
-    # Attempt to fetch the org id from the tags via the fetch script
-    backoff aws::fetch_org_id_from_tags
-  else
-    log::info "Taking aws creds from system"
-    backoff aws::get_org_id_onprem
-  fi
+  export INSTANCE_ID=$(ec2-metadata -i | awk '{print $2}')
+  # Note: this only works for us-.{4}-\d
+  export REGION=$(ec2-metadata --availability-zone | awk '{ where = match($2, /us\-.+\-[1|2]/); print substr($2, where, 9); }')
 
+  backoff aws::fetch_org_id
+  backoff aws::fetch_poppa_id
   if [[ "$ORG_ID" == "" ]]; then
     # this will print an error, so that's good
     rollbar::report_error \
@@ -76,9 +64,10 @@ aws::get_org_id() {
   fi
 
   log::info "Got Org ID: $ORG_ID"
+  log::info "Got Poppa ID: $POPPA_ID"
 }
 
-aws::get_org_id_onprem() {
+aws::fetch_org_id() {
   local attempt=${1}
   log::info 'Attempting to get org id on prem'
   data='{"attempt":'"${attempt}"'}'
@@ -88,25 +77,35 @@ aws::get_org_id_onprem() {
     "Attempting to get the Org Tag from AWS and failing." \
     "$data"
 
-  EC2_HOME=/usr/local/ec2
-  export EC2_HOME
+  ORG_ID=$(bash /usr/local/ec2/bin/ec2-describe-tags \
+    --aws-access-key="${AWS_ACCESS_KEY}" \
+    --aws-secret-key="${AWS_SECRET_KEY}" \
+    --filter "resource-type=instance" \
+    --filter "resource-id=${INSTANCE_ID}" \
+    --filter "key=org" \
+    --region "${REGION}" \
+    | awk '{print $5}')
 
-  JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64/jre
-  export JAVA_HOME
+  export ORG_ID
+}
 
-  local instance_id=$(ec2-metadata -i | awk '{print $2}')
+# Fetches the poppa tags from EC2 and sets it to the `POPPA_ID` environment variable
+aws::fetch_poppa_id() {
+  log::info "Setting Poppa ID"
 
-  # Note: this only works for us-.{4}-\d
-  local region=$(ec2-metadata --availability-zone | awk '{ where = match($2, /us\-.+\-[1|2]/); print substr($2, where, 9); }')
+  # Generate the org-tag fetching script
+  rollbar::fatal_trap \
+    "Dock-Init: Failed to Render Org Script" \
+    "Consule-Template was unable to realize the given template."
 
-  ORG_ID=$(bash /usr/local/ec2/bin/ec2-describe-tags \
+  POPPA_ID=$(bash /usr/local/ec2/bin/ec2-describe-tags \
     --aws-access-key="${AWS_ACCESS_KEY}" \
     --aws-secret-key="${AWS_SECRET_KEY}" \
     --filter "resource-type=instance" \
-    --filter "resource-id=${instance_id}" \
-    --filter "key=org" \
-    --region "${region}" \
+    --filter "resource-id=${INSTANCE_ID}" \
+    --filter "key=runnable-org-id" \
+    --region "${REGION}" \
     | awk '{print $5}')
 
-  export ORG_ID
+  export POPPA_ID
 }
diff --git a/lib/cleanup.sh b/lib/cleanup.sh
@@ -11,7 +11,9 @@ cleanup::exit_trap() {
           "${CERT_PATH}"/pass \
           "${DOCK_INIT_BASE}"/consul-resources/template-config.hcl \
           "${DOCK_INIT_BASE}"/consul-resources/vault/**/auth-token \
+          "${DOCK_INIT_BASE}"/consul-resources/vault/**/user-vault-auth-token \
           "${DOCK_INIT_BASE}"/consul-resources/vault/**/token-* \
+          "${DOCK_INIT_BASE}"/util/get-aws-creds.sh \
           "${DOCK_INIT_BASE}"/key/rollbar.token
   fi
 }

diff --git a/lib/consul.sh b/lib/consul.sh
@@ -25,7 +25,7 @@ consul::connect() {
   backoff consul::connect_backoff
 }
 
-# Echos a value from consul foer the given keypath
+# Echos a value from consul for the given keypath
 # @param $1 keypath Keypath for the value to get from consul
 consul::get() {
   # Strip leading slashes so it works with both '/my/path' and 'my/path'
@@ -54,20 +54,23 @@ consul::configure_consul_template() {
     "Consul-Template was unable to realize the config template."
 
   # expose VAULT_TOKEN for consul-template config
-    if [ -z ${AWS_ACCESS_KEY+x} ] || [ -z ${AWS_SECRET_KEY+x} ]; then
-      local NODE_ENV=$(consul::get node/env)
-      local token_path="${DOCK_INIT_BASE}/consul-resources/vault/${NODE_ENV}"
-      log::info "$token_path"
-      VAULT_TOKEN=$(cat "${token_path}"/auth-token)
-      export VAULT_TOKEN
+  if [ -z ${AWS_ACCESS_KEY+x} ] || [ -z ${AWS_SECRET_KEY+x} ]; then
+    local NODE_ENV=$(consul::get node/env)
+    local token_path="${DOCK_INIT_BASE}/consul-resources/vault/${NODE_ENV}"
+    log::info "$token_path"
+    VAULT_TOKEN=$(cat "${token_path}"/auth-token)
+    export VAULT_TOKEN
 
-      local template="$DOCK_INIT_BASE/consul-resources/templates/"
-      template+="template-config.hcl.ctmpl"
-      template+=":$DOCK_INIT_BASE/consul-resources/template-config.hcl"
+    USER_VAULT_TOKEN=$(cat "${token_path}"/user-vault-auth-token)
+    export USER_VAULT_TOKEN
 
-      consul-template -once -template="$template"
-    else
-      log::info "AWS access key and secret already created, skipping template creation"
-    fi
+    local template="$DOCK_INIT_BASE/consul-resources/templates/"
+    template+="template-config.hcl.ctmpl"
+    template+=":$DOCK_INIT_BASE/consul-resources/template-config.hcl"
+
+    consul-template -once -template="$template"
+  else
+    log::info "AWS access key and secret already created, skipping template creation"
+  fi
   rollbar::clear_trap
 }
diff --git a/lib/vault.sh b/lib/vault.sh
@@ -4,6 +4,7 @@
 # @author Anandkumar Patel
 # @module vault
 
+source "${DOCK_INIT_BASE}/lib/consul.sh"
 source "${DOCK_INIT_BASE}/lib/util/log.sh"
 source "${DOCK_INIT_BASE}/lib/util/rollbar.sh"
 
@@ -52,3 +53,23 @@ vault::set_s3_keys() {
   export S3_SECRET_KEY
   rollbar::clear_trap
 }
+
+# creates a token for a the organizations-readonly policy
+vault::store_private_registry_token() {
+  log::info "Storing vault token for private registry key"
+  local NODE_ENV=$(consul::get node/env)
+  local token_path="${DOCK_INIT_BASE}/consul-resources/vault/${NODE_ENV}"
+  unset VAULT_TOKEN
+  # this will pull from the vault currently running (our vault)
+  export VAULT_ADDR="http://${USER_VAULT_HOSTNAME}:${USER_VAULT_PORT}"
+  # this might also be needed if we use a different root token
+
+  USER_VAULT_TOKEN=$(cat "${token_path}"/user-vault-auth-token)
+  vault auth ${USER_VAULT_TOKEN}
+  log::info "Creating new policy and token for dock-$POPPA_ID"
+  sed "s/{{bpid}}/${POPPA_ID}/g" "${DOCK_INIT_BASE}/consul-resources/templates/registry_policy.tmpl" > "${DOCK_INIT_BASE}/consul-resources/templates/registry_policy.hcl"
+  vault policy-write dock-${POPPA_ID} "${DOCK_INIT_BASE}/consul-resources/templates/registry_policy.hcl"
+  vault token-create -policy=dock-${POPPA_ID} | awk '/token/ { print $2 }' | awk 'NR==1  { print $1 }' > /opt/runnable/dock-init/user-private-registry-token
+  VAULT_TOKEN=$(cat "${token_path}"/auth-token)
+  export VAULT_TOKEN
+}
diff --git a/test/consul.sh b/test/consul.sh
@@ -29,7 +29,7 @@ describe 'consul.sh'
 
     it 'should read in the vault token'
       consul::configure_consul_template
-      cat::called_with "${DOCK_INIT_BASE}/consul-resources/vault/TEST-NODE-ENV/auth-token"
+      cat::called_with "${DOCK_INIT_BASE}/consul-resources/vault/TEST-NODE-ENV/user-vault-auth-token"
     end
 
     it 'generate the consul-template configuration'