upgrade the clustering tokens to use runtime podman secrets

README.md

@@ -164,11 +164,11 @@ and run the shell commands below on your 2nd (or 3rd, etc.) VM.
 ```sh
 FIRST=vm1.example.com
 set -u
-TOK_C=$(ssh $FIRST 'sudo podman exec hind sh -c "grep -E ^encrypt.= \$CONSUL_HCL"' |cut -f2- -d= |tr -d '\t "{}')
-TOK_N=$(ssh $FIRST 'sudo podman exec hind sh -c "grep -E  encrypt.= \$NOMAD_HCL"'  |cut -f2- -d= |tr -d '\t "{}')
+# copy secrets from FIRST to this VM
+ssh $FIRST 'sudo podman run --rm --secret HIND_C,type=env hind sh -c "echo -n \$HIND_C"' |sudo podman secret create HIND_C -
+ssh $FIRST 'sudo podman run --rm --secret HIND_N,type=env hind sh -c "echo -n \$HIND_N"' |sudo podman secret create HIND_N -
 
-curl -sS https://internetarchive.github.io/hind/install.sh | \
-  sudo sh -s --  -e FIRST=$FIRST  -e TOK_C=$TOK_C  -e TOK_N=$TOK_N
+curl -sS https://internetarchive.github.io/hind/install.sh | sudo sh -s -- -e FIRST=$FIRST
 ```
 
 

bin/bootstrap.sh

@@ -9,10 +9,8 @@ if [ $FIRST ]; then
   # setup for 2+ VMs to have their nomad and consul daemons be able to talk to each other
   export FIRSTIP=$(host $FIRST | perl -ane 'print $F[3] if $F[2] eq "address"' | head -1)
 
-  echo "encrypt = \"$TOK_C\""        >> $CONSUL_HCL
   echo "retry_join = [\"$FIRSTIP\"]" >> $CONSUL_HCL
 
-  echo "server { encrypt = \"$TOK_N\" }"               >> $NOMAD_HCL
   echo "server_join { retry_join = [ \"$FIRSTIP\" ] }" >> $NOMAD_HCL
   echo "server { bootstrap_expect = 2 }"               >> $NOMAD_HCL
 else
@@ -42,8 +40,8 @@ if [ ! $FIRST ]; then
   # try up to ~10m to bootstrap nomad
   for try in $(seq 0 600)
   do
-    TOK_C=$(consul keygen | tr -d ^)
-    TOK_N=$(nomad operator gossip keyring generate | tr -d ^)
+    consul keygen | tr -d ^ | podman secret create HIND_C -
+    nomad operator gossip keyring generate | tr -d ^ | podman secret create HIND_N -
 
     set +e
     nomad acl bootstrap 2>/tmp/boot.log >> /tmp/bootstrap
@@ -55,10 +53,6 @@ if [ ! $FIRST ]; then
   done
   set -e
 
-  # setup for 2+ VMs to have their nomad and consul daemons be able to talk to each other
-  echo "encrypt = \"$TOK_C\"" >> $CONSUL_HCL
-  echo "server { encrypt = \"$TOK_N\" }" >> $NOMAD_HCL
-
   echo export NOMAD_TOKEN=$(fgrep 'Secret ID' /tmp/bootstrap |cut -f2- -d= |tr -d ' ') > $CONFIG
   rm -f /tmp/bootstrap
 

bin/entrypoint.sh

@@ -10,6 +10,9 @@ if [ ! -e $CONFIG ]; then
   exit 0
 fi
 
+setopt HIST_NO_STORE
+sed -i "s/RUNTIME_REPLACED/$HIND_C/" $CONSUL_HCL
+sed -i "s/RUNTIME_REPLACED/$HIND_N/" $NOMAD_HCL
 
 # set for `nomad run` of jobs with `podman` driver
 podman system service -t 0 & # xxx

etc/consul.hcl

@@ -9,3 +9,6 @@ limits {
   # default of 200 is too low for clusters with 200+ deploys
   http_max_conns_per_client = 32767
 }
+
+# setup for 2+ VMs to have their consul daemons be able to talk to each other
+encrypt = "RUNTIME_REPLACED"

etc/nomad.hcl

@@ -42,4 +42,7 @@ server {
     # we use `memory` and `memory_max` in our `project.nomad` template
     memory_oversubscription_enabled = true
   }
+
+  # setup for 2+ VMs to have their nomad daemons be able to talk to each other
+  encrypt = "RUNTIME_REPLACED"
 }

install.sh

@@ -11,7 +11,7 @@ podman -v > /dev/null || exit 1
 
 (
   set -x
-  # xxx document & whay the 2 mkdirs on the outside/VM:
+  # xxx document & why the 2 mkdirs on the outside/VM:
   mkdir -p -m777 /pv/CERTS
   mkdir -p -m777 /opt/nomad/data/alloc
   podman run --net=host --privileged --cgroupns=host \
@@ -30,6 +30,7 @@ if [ "$HOST_UNAME" = Darwin ]; then
       -v /var/lib/containers:/var/lib/containers \
       -v /opt/nomad/data/alloc:/opt/nomad/data/alloc \
       -v /pv:/pv \
+      -secret HIND_C,type=env -secret HIND_N,type=env \
       --restart=always --name hind -d -q "$@" hind >/dev/null
   )
 else
@@ -40,6 +41,7 @@ else
       -v /var/lib/containers:/var/lib/containers \
       -v /opt/nomad/data/alloc:/opt/nomad/data/alloc \
       -v /pv:/pv \
+      -secret HIND_C,type=env -secret HIND_N,type=env \
       --restart=always --name hind -d -q "$@" hind >/dev/null
   )
 fi