README
¶
gostint - A Shallow RESTful api for Ansible, Terraform ...
... and basically anything you would like to run as jobs in docker containers, authenticated with Hashicorp Vault AppRoles with Secret Injection.
Formally called goswim.
gostint: : stint - an allotted amount or piece of work
Goal is to be a Highly Available and Scaleable API for automation.
See Concept Ideas
At this stage this project is a proof-of-concept and under development...
See build_test_dev script for example starting the gostint docker container with the instances of Vault and MongoDb running in the vagrant container.
See bats tests folder for example curl command based BATs tests, that
demo driving the gostint api to run a selection of Docker container based jobs.
JSON jobs used in these tests are in the respective tests files.
Features
- Integrated with Hashicorp Vault AppRole.
- Secrets in Vault can be referenced in a job request, which are then populated and injected into the job's running container.
- Additional content can be flexibly injected into the job container from the json request.
- Can run any job in any required docker image, e.g. Ansible, Terraform, Busybox, Powershell, and the versions of the job execution containers can be pinned.
- Serialisation queues are dynamic and created on the fly.
Usage
Prerequisites
-
A MongoDB service
-
A Hashicorp Vault service See test setup in scripts/init_vault.sh for example of enabling the MongoDB Secret Engine in Vault.
-
SSL Key and Certificate for gostint -
key.pemandcert.pemstored in persistent volume shown below as/srv/gostint-1/etc
Running the gostint docker container
A very basic setup for a single instance of gostint:
# point to your vault's url
VAULT_ADDR="${VAULT_ADDR:-https://your.vault.host:8200}"
# login to the vault - using your chosen authentication scheme in vault
vault login # to get a <token>
# Request a MongoDB secret engine token for gostint to request an ephemeral
# time-bound username/password pair.
token=$(curl -s \
--request POST \
--header 'X-Vault-Token: <token>' \
--data '{"policies": ["gostint-mongodb-auth"], "ttl": "10m", "num_uses": 2}' \
${VAULT_ADDR}/v1/auth/token/create | jq .auth.client_token -r)
# Get gostint's AppRole RoleId from the Vault
roleid=`curl -s --header 'X-Vault-Token: root' \
${VAULT_ADDR}/v1/auth/approle/role/gostint-role/role-id | jq .data.role_id -r`
# Run gostint
docker run --init -d \
--name gostint -p 3232:3232 \
--privileged=true \
-v /srv/gostint-1/etc:/var/lib/gostint \
-e VAULT_ADDR="$VAULT_ADDR" \
-e GOSTINT_DBAUTH_TOKEN="$token" \
-e GOSTINT_ROLEID="$roleid" \
-e GOSTINT_DBURL=your-db-host:27017
goethite/gostint
Going HA and Scalable with gostint
See gostint-helm for (a work-in-progress) PoC HA deployment of gostint using mongodb, etcd and vault on kubernetes.
LICENSE - GPLv3
Copyright 2018 Graham Lee Bevan <graham.bevan@ntlworld.com>
gostint is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gostint is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gostint. If not, see <https://www.gnu.org/licenses/>.
Documentation
¶
There is no documentation for this package.
Source Files
Directories