hoeghh / hashistack Goto Github PK

Sometimes its nice to force something to run on eg. servers. This could be eg. an ingress controller.
So, we need to add a meta to each VM, given its role ["server", "client"]

We still need Vault in the stack, and we need to figure out if it should be installed on the hosts, or via Nomad.

We would love for Nomad and Vault to integrate. Getting secrets from Vault when deploying a job in Nomad

We need to add some documentation on how this thing works. Like how you get the libvirt plugin ready, setting variables and running it.

Currently everyone can open Consul and peek around.
We would like to have some Access control on Consul.

We should not merge anything to master that terraform doesnt approve. So a github action that checks the code would be great.

Currently everyone can open Nomad and start jobs in the cluster.
We would like to enable Access Control, in an automated way.

Consul should use certificates when running and comminucating. The dummy certificates exist in the certificate folder, but are not used yet. We need to carrie them to the servers, and specify them in the consul configuration. Also, we need to make it easy for people to create their own set of certificates and use those instead.

We need to make a clear warning on the front page, that dummy certificates provided here, should not be used in production or any site that is used. These are intended to be used only to test that this works.

We should add a code of conduct document / link to the project. The CNCF might be a fine fit.

One way we could do it, was to use the http provider to call the vault api

curl --request PUT -k -d '{"secret_shares": 10, "secret_threshold": 5}' https://10.18.3.12:8200/v1/sys/init
{
  "keys": [
    "7cee5c863cdc806407760655337fd8a01ae9157f4accd16ab54975b4ccf8f6b793",
    "7a1be29df49eb5b5ce59bf5638dae7bb3ab38db0b0a2752aeed1433a7ad9805502",
    "b65ffc6c0e10623942b94ab0b2b01db692fd4246371478a02320b467fab4d42cdd",
    "0ac8af82956a11c0e0040774c2ba437cd24dfcde2c51fdd21e68aa6a9aa7284892",
    "6cb7b8a1063be24d1b1ac3dce921ef434f28695a440666cf644cecab0183e3be6c",
    "351096581567bdf07acbad41437252469c7867f47da2c9317bdd0d120a87f88e31",
    "c8ed982b82e6c2c74391be888e58f863a759201a063ff37ee798dc1c542cae74f7",
    "683f89eb3b47a852e27e1753ce17e2c54b5af75cb287db9d422a54b653339cc0d0",
    "d4afea4635b8599a9c6e9fad123fd1041d1e42d532d4d40b0856a7288604119fc4",
    "94c89a33e8fb0d3d381dc285c6752214c8b34d39e4e9ef9d187b51299e8768b164"
  ],
  "keys_base64": [
    "fO5chjzcgGQHdgZVM3/YoBrpFX9KzNFqtUl1tMz49reT",
    "ehvinfSetbXOWb9WONrnuzqzjbCwonUq7tFDOnrZgFUC",
    "tl/8bA4QYjlCuUqwsrAdtpL9QkY3FHigIyC0Z/q01Czd",
    "CsivgpVqEcDgBAd0wrpDfNJN/N4sUf3SHmiqapqnKEiS",
    "bLe4oQY74k0bGsPc6SHvQ08oaVpEBmbPZEzsqwGD475s",
    "NRCWWBVnvfB6y61BQ3JSRpx4Z/R9oskxe90NEgqH+I4x",
    "yO2YK4LmwsdDkb6Ijlj4Y6dZIBoGP/N+55jcHFQsrnT3",
    "aD+J6ztHqFLifhdTzhfixUta91yyh9udQipUtlMznMDQ",
    "1K/qRjW4WZqcbp+tEj/RBB0eQtUy1NQLCFanKIYEEZ/E",
    "lMiaM+j7DT04HcKFxnUiFMizTTnk6e+dGHtRKZ6HaLFk"
  ],
  "root_token": "s.a0EOeHaeXCxrsUZztaWEmFor"
}

So we would run one init, and then x (number of servers) unseal.

Links :
https://www.vaultproject.io/api/system/init
https://www.vaultproject.io/api-docs/system/unseal
https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http