Skip to content

Commit

Permalink
func: unify keys and make them cluster grouped
Browse files Browse the repository at this point in the history
  • Loading branch information
Juanadelacuesta committed Jan 16, 2025
1 parent 3c1059f commit 7776501
Show file tree
Hide file tree
Showing 15 changed files with 66 additions and 56 deletions.
8 changes: 4 additions & 4 deletions e2e/terraform/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,10 @@ destroy_full:
# don't run this by default in plan/apply because it prevents you from
# updating a running cluster
tidy:
rm -rf keys
mkdir keys
chmod 0700 keys
rm -rf uploads/*
rm -rf provision-infra/keys
mkdir -p provision-infra/keys
chmod 0700 provision-infra/keys
rm -rf provision-infra/uploads/*
git checkout uploads/README.md
rm -f terraform.tfstate.*.backup
rm custom.tfvars
4 changes: 2 additions & 2 deletions e2e/terraform/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -140,14 +140,14 @@ about the cluster:
You can use Terraform outputs above to access nodes via ssh:

```sh
ssh -i keys/nomad-e2e-*.pem ubuntu@${EC2_IP_ADDR}
ssh -i keys/<cluster-name>/nomad-e2e-*.pem ubuntu@${EC2_IP_ADDR}
```

The Windows client runs OpenSSH for convenience, but has a different
user and will drop you into a Powershell shell instead of bash:

```sh
ssh -i keys/nomad-e2e-*.pem Administrator@${EC2_IP_ADDR}
ssh -i keys/<cluster-name>/nomad-e2e-*.pem Administrator@${EC2_IP_ADDR}
```

## Teardown
Expand Down
18 changes: 9 additions & 9 deletions e2e/terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ provider "aws" {
module "provision-infra" {
source = "./provision-infra"

server_count = var.server_count
client_count_linux = var.client_count_linux
client_count_windows_2016 = var.client_count_windows_2016
nomad_local_binary = var.nomad_local_binary
nomad_license = var.nomad_license
consul_license = var.consul_license
nomad_region = var.nomad_region
instance_arch = var.instance_arch
name = var.name
server_count = var.server_count
client_count_linux = var.client_count_linux
client_count_windows_2016 = var.client_count_windows_2016
nomad_local_binary = var.nomad_local_binary
nomad_license = var.nomad_license
consul_license = var.consul_license
nomad_region = var.nomad_region
instance_arch = var.instance_arch
name = var.name
}
10 changes: 5 additions & 5 deletions e2e/terraform/provision-infra/consul-servers.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ resource "random_uuid" "consul_initial_management_token" {}

resource "local_sensitive_file" "consul_initial_management_token" {
content = random_uuid.consul_initial_management_token.result
filename = "${path.module}/keys/consul_initial_management_token"
filename = "${local.keys_dir}/consul_initial_management_token"
file_permission = "0600"
}

Expand Down Expand Up @@ -91,13 +91,13 @@ resource "null_resource" "upload_consul_server_configs" {
user = "ubuntu"
host = aws_instance.consul_server.public_ip
port = 22
private_key = file("${path.module}/../keys/${local.random_name}.pem")
private_key = file("${local.keys_dir}/${local.random_name}.pem")
target_platform = "unix"
timeout = "15m"
}

provisioner "file" {
source = "${path.module}/keys/tls_ca.crt"
source = "${local.keys_dir}/tls_ca.crt"
destination = "/tmp/consul_ca.pem"
}
provisioner "file" {
Expand Down Expand Up @@ -133,7 +133,7 @@ resource "null_resource" "install_consul_server_configs" {
user = "ubuntu"
host = aws_instance.consul_server.public_ip
port = 22
private_key = file("${path.module}/../keys/${local.random_name}.pem")
private_key = file("${local.keys_dir}/${local.random_name}.pem")
target_platform = "unix"
timeout = "15m"
}
Expand Down Expand Up @@ -169,7 +169,7 @@ resource "null_resource" "bootstrap_consul_acls" {
command = "${path.module}/scripts/bootstrap-consul.sh"
environment = {
CONSUL_HTTP_ADDR = "https://${aws_instance.consul_server.public_ip}:8501"
CONSUL_CACERT = "${path.module}/keys/tls_ca.crt"
CONSUL_CACERT = "${local.keys_dir}/tls_ca.crt"
CONSUL_HTTP_TOKEN = "${random_uuid.consul_initial_management_token.result}"
CONSUL_AGENT_TOKEN = "${random_uuid.consul_agent_token.result}"
NOMAD_CLUSTER_CONSUL_TOKEN = "${random_uuid.consul_token_for_nomad.result}"
Expand Down
1 change: 0 additions & 1 deletion e2e/terraform/provision-infra/keys/nomad_root_token

This file was deleted.

3 changes: 2 additions & 1 deletion e2e/terraform/provision-infra/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,13 @@ resource "random_password" "windows_admin_password" {
locals {
random_name = "${var.name}-${random_pet.e2e.id}"
uploads_dir = "${path.module}/provision-nomad/uploads/${random_pet.e2e.id}"
keys_dir = "${path.module}/keys/${random_pet.e2e.id}"
}

# Generates keys to use for provisioning and access
module "keys" {
name = local.random_name
path = "${path.module}/../keys"
path = "${local.keys_dir}"
source = "mitchellh/dynamic-keys/aws"
version = "v2.0.0"
}
Expand Down
11 changes: 6 additions & 5 deletions e2e/terraform/provision-infra/nomad-acls.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,17 @@ resource "null_resource" "bootstrap_nomad_acls" {
command = "${path.module}/scripts/bootstrap-nomad.sh"
environment = {
NOMAD_ADDR = "https://${aws_instance.server.0.public_ip}:4646"
NOMAD_CACERT = "${path.module}/keys/tls_ca.crt"
NOMAD_CLIENT_CERT = "${path.module}/keys/tls_api_client.crt"
NOMAD_CLIENT_KEY = "${path.module}/keys/tls_api_client.key"
NOMAD_CACERT = "${local.keys_dir}/tls_ca.crt"
NOMAD_CLIENT_CERT = "${local.keys_dir}/tls_api_client.crt"
NOMAD_CLIENT_KEY = "${local.keys_dir}/tls_api_client.key"
NOMAD_TOKEN_PATH = "${local.keys_dir}"
}
}
}

data "local_sensitive_file" "nomad_token" {
depends_on = [null_resource.bootstrap_nomad_acls]
filename = "${path.module}/keys/nomad_root_token"
filename = "${local.keys_dir}/nomad_root_token"
}

# push the token out to the servers for humans to use.
Expand Down Expand Up @@ -53,7 +54,7 @@ resource "null_resource" "root_nomad_env_servers" {
user = "ubuntu"
host = aws_instance.server[count.index].public_ip
port = 22
private_key = file("${path.module}/../keys/${local.random_name}.pem")
private_key = file("${local.keys_dir}/${local.random_name}.pem")
timeout = "5m"
}
provisioner "remote-exec" {
Expand Down
9 changes: 6 additions & 3 deletions e2e/terraform/provision-infra/nomad.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,13 @@ module "nomad_server" {
aws_kms_key_id = data.aws_kms_alias.e2e.target_key_id

uploads_dir = local.uploads_dir
keys_dir = local.keys_dir

connection = {
type = "ssh"
user = "ubuntu"
port = 22
private_key = "${path.module}/../keys/${local.random_name}.pem"
private_key = "${local.keys_dir}/${local.random_name}.pem"
}
}

Expand All @@ -52,12 +53,13 @@ module "nomad_client_ubuntu_jammy" {
tls_ca_cert = tls_self_signed_cert.ca.cert_pem

uploads_dir = local.uploads_dir
keys_dir = local.keys_dir

connection = {
type = "ssh"
user = "ubuntu"
port = 22
private_key = "${path.module}/../keys/${local.random_name}.pem"
private_key = "${local.keys_dir}/${local.random_name}.pem"
}
}

Expand All @@ -83,11 +85,12 @@ module "nomad_client_windows_2016" {
tls_ca_cert = tls_self_signed_cert.ca.cert_pem

uploads_dir = local.uploads_dir
keys_dir = local.keys_dir

connection = {
type = "ssh"
user = "Administrator"
port = 22
private_key = "${path.module}/../keys/${local.random_name}.pem"
private_key = "${local.keys_dir}/${local.random_name}.pem"
}
}
20 changes: 10 additions & 10 deletions e2e/terraform/provision-infra/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,16 +26,16 @@ Then you can run tests from the e2e directory with:
ssh into servers with:
%{for ip in aws_instance.server.*.public_ip~}
ssh -i keys/${local.random_name}.pem ubuntu@${ip}
ssh -i keys/${local.random_name}/${local.random_name}.pem ubuntu@${ip}
%{endfor~}
ssh into clients with:
%{for ip in aws_instance.client_ubuntu_jammy.*.public_ip~}
ssh -i keys/${local.random_name}.pem ubuntu@${ip}
ssh -i keys/${local.random_name}/${local.random_name}.pem ubuntu@${ip}
%{endfor~}
%{for ip in aws_instance.client_windows_2016.*.public_ip~}
ssh -i keys/${local.random_name}.pem Administrator@${ip}
ssh -i keys/${local.random_name}/${local.random_name}.pem Administrator@${ip}
%{endfor~}
EOM
Expand All @@ -49,14 +49,14 @@ output "environment" {
sensitive = true
value = <<EOM
export NOMAD_ADDR=https://${aws_instance.server[0].public_ip}:4646
export NOMAD_CACERT=${abspath(path.module)}/keys/tls_ca.crt
export NOMAD_CLIENT_CERT=${abspath(path.module)}/keys/tls_api_client.crt
export NOMAD_CLIENT_KEY=${abspath(path.module)}/keys/tls_api_client.key
export NOMAD_CACERT=${abspath(local.keys_dir)}/tls_ca.crt
export NOMAD_CLIENT_CERT=${abspath(local.keys_dir)}/tls_api_client.crt
export NOMAD_CLIENT_KEY=${abspath(local.keys_dir)}/tls_api_client.key
export NOMAD_TOKEN=${data.local_sensitive_file.nomad_token.content}
export NOMAD_E2E=1
export CONSUL_HTTP_ADDR=https://${aws_instance.consul_server.public_ip}:8501
export CONSUL_HTTP_TOKEN=${local_sensitive_file.consul_initial_management_token.content}
export CONSUL_CACERT=${abspath(path.module)}/keys/tls_ca.crt
export CONSUL_CACERT=${abspath(local.keys_dir)}/tls_ca.crt
EOM
}

Expand All @@ -65,15 +65,15 @@ output "nomad_addr" {
}

output "ca_file" {
value = "${abspath(path.module)}/keys/tls_ca.crt"
value = "${abspath(local.keys_dir)}/tls_ca.crt"
}

output "cert_file" {
value = "${abspath(path.module)}/keys/tls_api_client.crt"
value = "${abspath(local.keys_dir)}/tls_api_client.crt"
}

output "key_file" {
value = "${abspath(path.module)}/keys/tls_api_client.key"
value = "${abspath(local.keys_dir)}/tls_api_client.key"
}

output "nomad_token" {
Expand Down
12 changes: 6 additions & 6 deletions e2e/terraform/provision-infra/provision-nomad/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ resource "null_resource" "upload_consul_configs" {
destination = "/tmp/consul_cert.pem"
}
provisioner "file" {
source = "${path.module}/../keys/tls_ca.crt"
source = "${var.keys_dir}/tls_ca.crt"
destination = "/tmp/consul_ca.crt"
}
provisioner "file" {
Expand Down Expand Up @@ -136,23 +136,23 @@ resource "null_resource" "upload_nomad_configs" {
destination = "/tmp/agent-${var.instance.public_ip}.crt"
}
provisioner "file" {
source = "${path.module}/../keys/tls_api_client.key"
source = "${var.keys_dir}/tls_api_client.key"
destination = "/tmp/tls_proxy.key"
}
provisioner "file" {
source = "${path.module}/../keys/tls_api_client.crt"
source = "${var.keys_dir}/tls_api_client.crt"
destination = "/tmp/tls_proxy.crt"
}
provisioner "file" {
source = "${path.module}/../keys/tls_ca.crt"
source = "${var.keys_dir}/tls_ca.crt"
destination = "/tmp/ca.crt"
}
provisioner "file" {
source = "${path.module}/../keys/self_signed.key"
source = "${var.keys_dir}/self_signed.key"
destination = "/tmp/self_signed.key"
}
provisioner "file" {
source = "${path.module}/../keys/self_signed.crt"
source = "${var.keys_dir}/self_signed.crt"
destination = "/tmp/self_signed.crt"
}
}
4 changes: 2 additions & 2 deletions e2e/terraform/provision-infra/provision-nomad/tls.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,10 @@ resource "tls_locally_signed_cert" "nomad" {

resource "local_sensitive_file" "nomad_client_key" {
content = tls_private_key.nomad.private_key_pem
filename = "keys/agent-${var.instance.public_ip}.key"
filename = "${var.keys_dir}/agent-${var.instance.public_ip}.key"
}

resource "local_sensitive_file" "nomad_client_cert" {
content = tls_locally_signed_cert.nomad.cert_pem
filename = "keys/agent-${var.instance.public_ip}.crt"
filename = "${var.keys_dir}/agent-${var.instance.public_ip}.crt"
}
6 changes: 6 additions & 0 deletions e2e/terraform/provision-infra/provision-nomad/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,9 @@ variable "uploads_dir" {
description = "Directory where all the configuration files for nomad, consul and vault will be taken from to configure each nomad node"
default = ""
}

variable "keys_dir" {
type = string
description = "Directory where all the configuration TLS and SSH keys and certificates will be stored fro provisioning"
default = ""
}
4 changes: 2 additions & 2 deletions e2e/terraform/provision-infra/scripts/bootstrap-nomad.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ set -e

export NOMAD_TOKEN="$ROOT_TOKEN"

mkdir -p ../keys
echo $NOMAD_TOKEN > "${DIR}/../keys/nomad_root_token"
mkdir -p "$NOMAD_TOKEN_PATH"
echo $NOMAD_TOKEN > "${NOMAD_TOKEN_PATH}/nomad_root_token"
echo NOMAD_TOKEN=$NOMAD_TOKEN

# Our default policy after bootstrapping will be full-access. Without
Expand Down
4 changes: 2 additions & 2 deletions e2e/terraform/provision-infra/tls_ca.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,11 @@ resource "tls_self_signed_cert" "ca" {
}

resource "local_sensitive_file" "ca_key" {
filename = "${path.module}/keys/tls_ca.key"
filename = "${local.keys_dir}/tls_ca.key"
content = tls_private_key.ca.private_key_pem
}

resource "local_sensitive_file" "ca_cert" {
filename = "${path.module}/keys/tls_ca.crt"
filename = "${local.keys_dir}/tls_ca.crt"
content = tls_self_signed_cert.ca.cert_pem
}
8 changes: 4 additions & 4 deletions e2e/terraform/provision-infra/tls_client.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,12 @@ resource "tls_locally_signed_cert" "api_client" {

resource "local_sensitive_file" "api_client_key" {
content = tls_private_key.api_client.private_key_pem
filename = "${path.module}/keys/tls_api_client.key"
filename = "${local.keys_dir}/tls_api_client.key"
}

resource "local_sensitive_file" "api_client_cert" {
content = tls_locally_signed_cert.api_client.cert_pem
filename = "${path.module}/keys/tls_api_client.crt"
filename = "${local.keys_dir}/tls_api_client.crt"
}

# Self signed cert for reverse proxy
Expand All @@ -66,10 +66,10 @@ resource "tls_self_signed_cert" "self_signed" {

resource "local_sensitive_file" "self_signed_key" {
content = tls_private_key.self_signed.private_key_pem
filename = "${path.module}/keys/self_signed.key"
filename = "${local.keys_dir}/self_signed.key"
}

resource "local_sensitive_file" "self_signed_cert" {
content = tls_self_signed_cert.self_signed.cert_pem
filename = "${path.module}/keys/self_signed.crt"
filename = "${local.keys_dir}/self_signed.crt"
}

0 comments on commit 7776501

Please sign in to comment.