Merge pull request #103 from code42/CO-13953-acl

chore: Use Nomad ACL token instead of mTLS
code42 · Feb 24, 2022 · ce12b33 · ce12b33
2 parents 3c408d0 + 2d2e045
commit ce12b33
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -19,10 +19,6 @@ Axiomatic uses environment variables to override the default configuration value
 * AXIOMATIC_SSH_PRIV_KEY (**required**) is the private ssh key used for cloning repositories. It must be base64 encoded.
 * AXIOMATIC_SSH_PUB_KEY (**required**) is the public ssh key used for cloning repositories.
 * NOMAD_ADDR is the address of the Nomad server. Default = `http://127.0.0.1:4646`
-* NOMAD_CACERT is the path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate.
-* NOMAD_CAPATH is the path to a directory of PEM encoded CA cert files to verify the Nomad server SSL certificate.
-* NOMAD_CLIENT_CERT Path to a PEM encoded client certificate for TLS authentication to the Nomad server.
-* NOMAD_CLIENT_KEY Path to an unencrypted PEM encoded private key matching the client certificate.
 * NOMAD_NAMESPACE is the target namespace for queries and actions. Default = `default`
 * NOMAD_REGION is region of the Nomad servers to forward commands.
 * NOMAD_TOKEN is the SecretID of an ACL token to use to authenticate API requests.

diff --git a/axiomatic.nomad b/axiomatic.nomad
@@ -23,33 +23,15 @@ job "axiomatic" {
         AXIOMATIC_IP = "0.0.0.0"
         AXIOMATIC_PORT = "8181"
         GITHUB_SECRET = "you-deserve-what-you-get"
-        NOMAD_CACERT = "/local/certs/nomad-ca.pem"
-        NOMAD_CLIENT_CERT = "/local/certs/cli.pem"
-        NOMAD_CLIENT_KEY = "/local/certs/cli-key.pem"
       }
       template {
         data = <<EOH
-{{ with secret "pki_int/issue/nomad-cluster" "ttl=24h" }}
-{{ .Data.issuing_ca }}
+NOMAD_TOKEN={{ with secret "secrets/team/empower-rangers/nomad-bootstrap-token" }}
+{{ .Data.token }}
 {{ end }}
 EOH
-        destination = "/local/certs/nomad-ca.pem"
-      }
-      template {
-        data = <<EOH
-{{ with secret "pki_int/issue/nomad-cluster" "ttl=24h" }}
-{{ .Data.certificate }}
-{{ end }}
-EOH
-        destination = "/local/certs/cli.pem"
-      }
-      template {
-        data = <<EOH
-{{ with secret "pki_int/issue/nomad-cluster" "ttl=24h" }}
-{{ .Data.private_key }}
-{{ end }}
-EOH
-        destination = "/local/certs/cli-key.pem"
+        destination = "local/secrets.env"
+        env         = true
       }
 
       resources {
@@ -77,6 +59,6 @@ EOH
   type = "service"
 
   vault = {
-    policies = ["tls-policy"]
+    policies = ["secrets-team-empower-rangers-read"]
   }
 }