Commit 3abf27a7 authored by Finn Herzfeld's avatar Finn Herzfeld

Rearrange the config a little

parent 8636db4c
Pipeline #3425 passed with stage
in 1 minute and 40 seconds
......@@ -14,29 +14,37 @@ var ConfigFiles = []string{"/etc/rhyzome.conf", "rhyzome.conf"}
// Config describes all configurable keys
type Config struct {
Bind string // Bind is the address (and port) to bind the REST server to
BridgeInterface string // BridgeInterface is the bridge that all network interfaces are added to
DiskStoragePool string // DiskStoragePool is the name of the storage pool to use
Hostname string // Hostname is the domain that guests will be created under
ImageDir string // ImageDir is the path to the local image pool
ImageGroup string // ImageGroup is the GID that should own volume images
ImageHost string // ImageHost is the base URL for the disk image server
ImageOwner string // ImageOwner is the UID that should own volume images
MetadataBind string // MetadataBind is the port (and optionally IP) to bind the metadata server to
CloudInitSeed string // CloudInitSeed is the seed to pass to cloud-init
CloudName string // CloudName is the cloud provider name to tell cloud-init
Vault VaultConfig
Bind string // Bind is the address (and port) to bind the REST server to
BridgeInterface string // BridgeInterface is the bridge that all network interfaces are added to
DiskStoragePool string // DiskStoragePool is the name of the storage pool to use
Hostname string // Hostname is the domain that guests will be created under
ImageDir string // ImageDir is the path to the local image pool
ImageGroup string // ImageGroup is the GID that should own volume images
ImageHost string // ImageHost is the base URL for the disk image server
ImageOwner string // ImageOwner is the UID that should own volume images
MetadataBind string // MetadataBind is the port (and optionally IP) to bind the metadata server to
CloudInit CloudInitConfig // CloudInit contains settings that are specific to the cloud-init integration
Vault VaultConfig // Vault contains settings for connecting to the vault server
CredentialInjection CredentialInjectionConfig // CredentialInjection configures how credentials are injected into guests
}
type VaultConfig struct {
TLSConfig api.TLSConfig // TLSConfig is the TLS configuration to use, if any
Address string
InjectionCommand string
TLSConfig api.TLSConfig // TLSConfig is the TLS configuration to use, if any
Address string
RoleIDFilePath string
SecretIDFilePath string
}
type CloudInitConfig struct {
Seed string // Seed is the seed URL to pass to cloud-init via qemu smbios flag. Should be http://<metadata server>/cloud-init/
CloudName string // CloudName is name of the cloud we tell cloud-init it's running on
}
type CredentialInjectionConfig struct {
PostInjectionCommand string
CommandPollMS int
GuestCommandTimeoutSeconds libvirt.DomainQemuAgentCommandTimeout
GuestAuthFolder string
RoleIDFilePath string
SecretIDFilePath string
SecretIDTTL string
TokenPolicies []string
SecretIDNumUses string
......@@ -57,14 +65,18 @@ var (
ImageHost: "http://image-host.fruit-0.entanglement.garden",
ImageOwner: "64055",
MetadataBind: "127.0.0.1:8081",
CloudInitSeed: "http://127.0.0.1:8081/cloud-init/",
CloudName: "rhyzome",
CloudInit: CloudInitConfig{
Seed: "http://127.0.0.1:80801/cloud-init/",
CloudName: "rhyzome",
},
Vault: VaultConfig{
TLSConfig: api.TLSConfig{},
InjectionCommand: "/opt/entanglement/vault-inject.sh",
TLSConfig: api.TLSConfig{},
},
CredentialInjection: CredentialInjectionConfig{
PostInjectionCommand: "/opt/entanglement/vault-inject.sh",
GuestCommandTimeoutSeconds: 5,
GuestAuthFolder: "/etc/entanglement/auth",
CommandPollMS: 250,
GuestCommandTimeoutSeconds: 5,
SecretIDTTL: "1h",
SecretIDNumUses: "1",
TokenMaxTTL: "24h",
......
......@@ -201,7 +201,7 @@ func (i *Instance) CreateAsJob(j *jobs.Job) error {
QEMUCommandline: &libvirtxml.DomainQEMUCommandline{
Args: []libvirtxml.DomainQEMUCommandlineArg{
libvirtxml.DomainQEMUCommandlineArg{Value: "-smbios"},
libvirtxml.DomainQEMUCommandlineArg{Value: "type=1,serial=ds=nocloud-net;s=" + config.C.CloudInitSeed},
libvirtxml.DomainQEMUCommandlineArg{Value: "type=1,serial=ds=nocloud-net;s=" + config.C.CloudInit.Seed},
},
},
}
......
......@@ -32,7 +32,7 @@ func cloudInitMetaData(w http.ResponseWriter, r *http.Request) {
err := yaml.NewEncoder(w).Encode(CloudInitMetadata{
LocalHostname: domain.Name,
InstanceID: domain.UUID,
CloudName: config.C.CloudName,
CloudName: config.C.CloudInit.CloudName,
})
if err != nil {
log.Println("Error encoding response", err)
......
......@@ -28,9 +28,9 @@ func InjectAppRole(w http.ResponseWriter, r *http.Request) {
return
}
_, err = GuestExec(domain, "mkdir", "-p", config.C.Vault.GuestAuthFolder)
_, err = GuestExec(domain, "mkdir", "-p", config.C.CredentialInjection.GuestAuthFolder)
if err != nil {
log.Println("Error creating", config.C.Vault.GuestAuthFolder, "on guest:", err)
log.Println("Error creating", config.C.CredentialInjection.GuestAuthFolder, "on guest:", err)
http.Error(w, err.Error(), 500)
return
}
......@@ -38,10 +38,10 @@ func InjectAppRole(w http.ResponseWriter, r *http.Request) {
// Create the approle
appRolePath := fmt.Sprintf("auth/approle/role/%s.%s", domainName, config.C.Hostname)
_, err = vaultClient.Logical().Write(appRolePath, map[string]interface{}{
"secret_id_ttl": config.C.Vault.SecretIDTTL,
"token_policies": strings.Join(config.C.Vault.TokenPolicies, ","),
"secret_id_num_uses": config.C.Vault.SecretIDNumUses,
"token_max_ttl": config.C.Vault.TokenMaxTTL,
"secret_id_ttl": config.C.CredentialInjection.SecretIDTTL,
"token_policies": strings.Join(config.C.CredentialInjection.TokenPolicies, ","),
"secret_id_num_uses": config.C.CredentialInjection.SecretIDNumUses,
"token_max_ttl": config.C.CredentialInjection.TokenMaxTTL,
})
if err != nil {
log.Println("Error creating vault role", appRolePath, err)
......@@ -64,7 +64,7 @@ func InjectAppRole(w http.ResponseWriter, r *http.Request) {
return
}
err = WriteSecret(domain, fmt.Sprintf("%s/role-id", config.C.Vault.GuestAuthFolder), roleIDstring)
err = WriteSecret(domain, fmt.Sprintf("%s/role-id", config.C.CredentialInjection.GuestAuthFolder), roleIDstring)
if err != nil {
log.Println("Error writing role-id file to guest", err)
http.Error(w, err.Error(), 500)
......@@ -94,14 +94,14 @@ func InjectAppRole(w http.ResponseWriter, r *http.Request) {
return
}
err = WriteSecret(domain, fmt.Sprintf("%s/secret-id", config.C.Vault.GuestAuthFolder), secretIDstring)
err = WriteSecret(domain, fmt.Sprintf("%s/secret-id", config.C.CredentialInjection.GuestAuthFolder), secretIDstring)
if err != nil {
log.Println("Error writing secret-id file to guest", err)
http.Error(w, err.Error(), 500)
return
}
statusResponse, err := GuestExec(domain, config.C.Vault.InjectionCommand, domainName)
statusResponse, err := GuestExec(domain, config.C.CredentialInjection.PostInjectionCommand, domainName)
if err != nil {
http.Error(w, err.Error(), 500)
return
......@@ -164,7 +164,7 @@ func GuestExec(domain *libvirt.Domain, path string, args ...string) (response qa
break
}
time.Sleep(time.Duration(config.C.Vault.CommandPollMS) * time.Millisecond)
time.Sleep(time.Duration(config.C.CredentialInjection.CommandPollMS) * time.Millisecond)
}
return
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment