vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect

This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
This commit is contained in:
Luke Granger-Brown 2022-03-11 22:07:31 +00:00
parent ac0c6eccef
commit ae97fddae2

View file

@ -26,67 +26,34 @@ let
(groupOrDefault c.key.group c) (groupOrDefault c.key.group c)
]) acmeCertificates)); ]) acmeCertificates));
acmeCertificatesTemplate = builtins.concatMap (c: let acmeCertificatesTemplate = map (c: {
secretStanza = '' contents = ''
secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}" {{with secret "acme/certs/${c.role}" "common_name=${c.name}" "alternative_names=${builtins.concatStringsSep "," (builtins.sort builtins.lessThan c.extraNames)}"}}
{{ .Data.cert | writeToFile "${fullchainPath c}" "vault-agent" "${groupOrDefault c.fullchain.group c}" "${c.fullchain.mode}" "newline" }}
{{ .Data.issuer_cert | writeToFile "${chainPath c}" "vault-agent" "${groupOrDefault c.chain.group c}" "${c.chain.mode}" "newline" }}
{{ .Data.private_key | writeToFile "${keyPath c}" "vault-agent" "${groupOrDefault c.key.group c}" "${c.key.mode}" "newline" }}
{{ end }}
''; '';
in [ destination = "/var/lib/acme/${c.name}/token";
{ perms = "0600";
# Certificate full chain command = let
contents = '' grp = groupOrDefault c.fullchain.group c;
{{with ${secretStanza}}} in pkgs.writeShellScript "post-${c.name}-crt" ''
{{ .Data.cert }}{{ end }} ${lib.concatMapStringsSep "\n" (x: ''
''; /run/current-system/sw/bin/systemctl reload-or-restart ${x}
destination = fullchainPath c; '') (reloadOrRestartUnits c)}
perms = c.fullchain.mode; ${lib.concatMapStringsSep "\n" (x: ''
command = let /run/current-system/sw/bin/systemctl restart ${x}
grp = groupOrDefault c.fullchain.group c; '') c.restartUnits}
in pkgs.writeShellScript "post-${c.name}-crt" '' ${lib.optionalString (c.command != "") c.command}
sleep 1s # Cheap hack... '';
${lib.optionalString (grp != "") '' }) acmeCertificates;
chgrp "${grp}" "${fullchainPath c}"
''}
${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl reload-or-restart ${x}
'') (reloadOrRestartUnits c)}
${lib.concatMapStringsSep "\n" (x: ''
/run/current-system/sw/bin/systemctl restart ${x}
'') c.restartUnits}
${lib.optionalString (c.command != "") c.command}
'';
} {
# Certificate chain
contents = ''
{{with ${secretStanza}}}
{{ .Data.issuer_cert }}{{ end }}
'';
destination = chainPath c;
perms = c.chain.mode;
command = let
grp = groupOrDefault c.chain.group c;
in pkgs.writeShellScript "post-${c.name}-chain" ''
${lib.optionalString (grp != "") ''
chgrp "${grp}" "${chainPath c}"
''}
'';
} {
# Key
contents = ''
{{with ${secretStanza}}}
{{ .Data.private_key }}{{ end }}
'';
destination = keyPath c;
perms = c.key.mode;
command = let
grp = groupOrDefault c.key.group c;
in pkgs.writeShellScript "post-${c.name}-key" ''
${lib.optionalString (grp != "") ''
chgrp "${grp}" "${keyPath c}"
''}
'';
}
]) acmeCertificates;
extraWritableDirs = lib.unique (builtins.concatMap (c: [
(dirOf (fullchainPath c))
(dirOf (chainPath c))
(dirOf (keyPath c))
]) acmeCertificates);
acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c: acmeCertificatesTmpdirs = lib.unique (builtins.concatMap (c:
let let
fullchainDir = dirOf (fullchainPath c); fullchainDir = dirOf (fullchainPath c);
@ -105,6 +72,7 @@ let
in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -" in lib.optional c.fullchain.makeDir "d ${fullchainDir} 0750 vault-agent ${fullchainDirGroup} - -"
++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -" ++ lib.optional c.chain.makeDir "d ${chainDir} 0750 vault-agent ${chainDirGroup} - -"
++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -" ++ lib.optional c.key.makeDir "d ${keyDir} 0750 vault-agent ${keyDirGroup} - -"
++ [ "d /var/lib/acme/${c.name} 0750 vault-agent - -" ]
) acmeCertificates); ) acmeCertificates);
allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates); allRestartableUnits = lib.unique (builtins.concatMap (c: (reloadOrRestartUnits c) ++ c.restartUnits) acmeCertificates);
@ -209,6 +177,7 @@ in
services.vault-agent = { services.vault-agent = {
serviceConfig = { serviceConfig = {
SupplementaryGroups = mkBefore acmeCertificatesGroups; SupplementaryGroups = mkBefore acmeCertificatesGroups;
ReadWritePaths = mkBefore extraWritableDirs;
}; };
}; };