Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/GuyBarros/nomad_jobs

A collection of Nomad Jobds to run as part of the meanstack-consul-connect demo
https://github.com/GuyBarros/nomad_jobs

Last synced: 3 months ago
JSON representation

A collection of Nomad Jobds to run as part of the meanstack-consul-connect demo

Host: GitHub
URL: https://github.com/GuyBarros/nomad_jobs
Owner: GuyBarros
License: apache-2.0
Created: 2018-10-17T12:07:31.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2024-07-18T11:51:50.000Z (4 months ago)
Last Synced: 2024-07-19T15:36:53.743Z (4 months ago)
Language: HCL
Size: 216 KB
Stars: 138
Watchers: 3
Forks: 38
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # nomad_jobs 

A collection of Nomad Jobds to run as part of the meanstack-consul-connect demo

These are tightly coupled with the nomad created in the repo `terraform-aws-demostack`

***These should NOT be used as examples of a production deployment.***

- [PortgreSQL dynamic credentials](#portgresql-dynamic-credentials)

- [Vault SSH OTP](#vault-ssh-otp)

- [Vault SSH CA](#vault-ssh-ca)

- [LDAP Auth](#ldap-auth)

## List demos 



### PortgreSQL dynamic credentials

Declare the following in your `runjobs.tf`

``` javascript

resource "nomad_job" "postgresSQL" {

  jobspec = "${file("./postgresSQL.nomad")}"

}

resource "nomad_job" "pgadmin" {

  jobspec = "${file("./pgadmin.nomad")}"

}

```

This first script will deploy the PostgreSQL database, whilst the second one will deploy the PGAdmin tool.

Once you open the _pgadmin_ tool, there's already a preconfigured connection named `Server Group 1` with:

* postgres.service.consul:5432

* username="root"

* password="rootpassword"

* disable SSL

* database = postgres

Setup your vault

```bash

vault secrets enable database

vault write database/config/postgresql  plugin_name=postgresql-database-plugin connection_url="postgresql://{{username}}:{{password}}@postgres.service.consul:5432/postgres?sslmode=disable" allowed_roles="*" username="root" password="rootpassword"

vault write database/roles/readonly db_name=postgresql [email protected] default_ttl=1h max_ttl=24h

```

You can find the `readonly.sql` file in this repo.

```bash

# read credentials

vault read database/creds/readonly

```



### Vault SSH OTP

Declare the following in your `runjobs.tf`, where `nomad_node` is your nomad node name for ssh.

``` javascript

data "template_file" "vault-ssh-helper" {

  template = "${file("./vault-ssh-helper.nomad.tpl")}"

  vars = {

    nomad_node = "ric-lnd-stack-server-1"

  }

}

resource "nomad_job" "vault-ssh-helper" {

  jobspec = "${data.template_file.vault-ssh-helper.rendered}"

}

```

Afterwards, setup vault

```bash

vault secrets enable ssh

vault write ssh/roles/otp_key_role key_type=otp default_user=ubuntu cidr_list=0.0.0.0/0

```

And from your client machine you'll be able to accessthe node:

``` bash

vault ssh -role otp_key_role -mode otp -strict-host-key-checking=no ubuntu@

```



### Vault SSH CA

Declare the following in your `runjobs.tf`, where `nomad_node` is your nomad node name for ssh.

``` javascript

data "template_file" "vault-ssh-ca" {

  template = "${file("./vault-ssh-ca.nomad.tpl")}"

  vars = {

    nomad_node = "ric-lnd-stack-server-1"

  }

}

resource "nomad_job" "vault-ssh-ca" {

  jobspec = "${data.template_file.vault-ssh-ca.rendered}"

}

```

This demo will already setup your Vault with the right backend and role.

To use it, make sure you have an existing ssh key pair (`ssh-keygen -t rsa -C "[email protected]`)

Then sign your key and save it to disk

``` bash

# to sign your key

vault write -field=signed_key ssh-client-signer/sign/my-role \

    public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub

# (Optional) to verify your keygen

ssh-keygen -Lf  signed-cert.pub

# Then just sign in (replacing your server hostname)

ssh -i signed-cert.pub -i ~/.ssh/id_rsa ubuntu@

```



### LDAP Auth

Declare the following in your `runjobs.tf`,

``` javascript

resource "nomad_job" "ldap-server" {

  jobspec = "${file("./ldap-server.nomad")}"

}

resource "nomad_job" "phpldapadmin" {

  jobspec = "${file("./phpldapadmin.nomad")}"

}

```

You can login via `fabio` on `http://fabio..hashidemos.io:9999/phpldapadmin-server/` as `cn=admin,dc=example,dc=org`, to view the users that are pre-loaded.

To configure vault for the control groups demo, see [LDAP-configure-Vault-Script](LDAP-configure-Vault-Script.md)