unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: manage openbao audit devices

Browse Source 
- manage openbao audit devices in the configuration file
- enable audit and audit_raw logs
- enable api access to creating audit devices
- restart vault service when changing the configuration file
This commit is contained in:
Ben Vincent 2025-11-20 19:48:37 +11:00
parent a5b9850e82
commit 35935db963
2 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
hieradata/roles/infra/storage/vault.yaml
View File

@ -4,7 +4,21 @@ profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault profiles::vault::server::data_dir: /data/vault
profiles::vault::server::manage_storage_dir: true profiles::vault::server::manage_storage_dir: true
profiles::vault::server::tls_disable: false profiles::vault::server::tls_disable: false
profiles::vault::server::audit_log: /data/vault/audit.log profiles::vault::server::audit_devices:
- file:
audit_raw:
options:
path: audit_raw
type: file
file_path: /data/vault/audit_raw.log
log_raw: "true"
- file:
audit_file:
options:
path: audit_file
type: file
file_path: /data/vault/audit.log
log_raw: "false"
vault::package_name: openbao vault::package_name: openbao
vault::package_ensure: latest vault::package_ensure: latest

26
site/profiles/manifests/vault/server.pp
View File

@ -15,7 +15,7 @@ class profiles::vault::server (
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt', Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key', Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt', Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
Stdlib::Absolutepath $audit_log = '/var/log/vault_audit.log', Optional[Array[Hash]] $audit_devices = undef,
){ ){
# set a datacentre/cluster name # set a datacentre/cluster name
@ -64,18 +64,9 @@ class profiles::vault::server (
}, },
api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}", api_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
extra_config => { extra_config => {
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}", cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
audit => [ audit => $audit_devices,
{ unsafe_allow_api_audit_creation => true,
file => {
'audit-file' => {
options => {
file_path => $audit_log,
}
}
}
}
],
}, },
listener => [ listener => [
{ {
@ -97,18 +88,11 @@ class profiles::vault::server (
] ]
} }
# ensure the vault audit log exists
file { $audit_log:
ensure => 'file',
owner => 'vault',
group => 'vault',
mode => '0600',
}
service { 'vault': service { 'vault':
ensure => true, ensure => true,
enable => true, enable => true,
subscribe => [File[$ssl_crt], File[$ssl_key]], subscribe => [File[$ssl_crt], File[$ssl_key], File['/etc/vault/config.json']],
} }
# include classes to manage vault # include classes to manage vault