From 48e0bd6796a92c73cb14b629e981fdb0ea9b4005 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 25 Feb 2024 21:03:55 +1100
Subject: [PATCH] fix: vault role fails on new servers

- vault server fails on new servers
- move unseal class to be included after vault class
---
 site/profiles/manifests/vault/server.pp     | 103 ++++++++++----------
 site/roles/manifests/infra/storage/vault.pp |   1 -
 2 files changed, 54 insertions(+), 50 deletions(-)

diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index a0e760a..2d00013 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -1,7 +1,10 @@
 # profiles::vault::server
 class profiles::vault::server (
   Boolean   $members_lookup = false,
-  String    $members_role   = undef,
+  Variant[
+    String,
+    Undef
+  ]         $members_role   = undef,
   Array     $vault_servers  = [],
   Enum[
     'archive',
@@ -22,12 +25,7 @@ class profiles::vault::server (
   $vault_cluster = "${::facts['country']}-${::facts['region']}"
 
   # if lookup is enabled, find all the hosts in the specified role and create the servers_array
-  if $members_lookup {
-
-    # check that the role is also set
-    unless !($members_role == undef) {
-      fail("members_role must be provided for ${title} when members_lookup is True")
-    }
+  if $members_lookup and $members_role != undef {
 
     # if it is, find hosts, sort them so they dont cause changes every run
     $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))
@@ -37,54 +35,61 @@ class profiles::vault::server (
     $servers_array = $vault_servers
   }
 
-  # set http scheme
-  $http_scheme = $tls_disable ? {
-    true    => 'http',
-    false   => 'https'
-  }
+  # configure vault if servers_array isnt empty
+  if ! $servers_array.empty() {
 
-  # create vault urls
-  $server_urls = $servers_array.map |$fqdn| {
-    {
-      leader_api_addr         => "${http_scheme}://${fqdn}:${client_port}",
-      leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
-      leader_client_key_file  => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
-      leader_ca_cert_file     => '/etc/pki/tls/puppet/ca.pem',
+    # set http scheme
+    $http_scheme = $tls_disable ? {
+      true    => 'http',
+      false   => 'https'
     }
-  }
 
-  class { 'vault':
-    install_method     => $install_method,
-    manage_storage_dir => $manage_storage_dir,
-    enable_ui          => true,
-    storage            => {
-      raft => {
-        node_id    => $::facts['networking']['fqdn'],
-        path       => $data_dir,
-        retry_join => $server_urls,
-      }
-    },
-    api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
-    extra_config       => {
-      cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
-    },
-    listener           => [
+    # create vault urls
+    $server_urls = $servers_array.map |$fqdn| {
       {
-        tcp => {
-          address         => "127.0.0.1:${client_port}",
-          cluster_address => "127.0.0.1:${cluster_port}",
-          tls_disable     => true,
+        leader_api_addr         => "${http_scheme}://${fqdn}:${client_port}",
+        leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
+        leader_client_key_file  => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
+        leader_ca_cert_file     => '/etc/pki/tls/puppet/ca.pem',
+      }
+    }
+
+    class { 'vault':
+      install_method     => $install_method,
+      manage_storage_dir => $manage_storage_dir,
+      enable_ui          => true,
+      storage            => {
+        raft => {
+          node_id    => $::facts['networking']['fqdn'],
+          path       => $data_dir,
+          retry_join => $server_urls,
         }
       },
-      {
-        tcp => {
-          address         => "${::facts['networking']['ip']}:${client_port}",
-          cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
-          tls_disable     => $tls_disable,
-          tls_cert_file   => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
-          tls_key_file    => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
+      api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
+      extra_config       => {
+        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+      },
+      listener           => [
+        {
+          tcp => {
+            address         => "127.0.0.1:${client_port}",
+            cluster_address => "127.0.0.1:${cluster_port}",
+            tls_disable     => true,
+          }
+        },
+        {
+          tcp => {
+            address         => "${::facts['networking']['ip']}:${client_port}",
+            cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
+            tls_disable     => $tls_disable,
+            tls_cert_file   => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
+            tls_key_file    => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
+          }
         }
-      }
-    ]
+      ]
+    }
+
+    # include unseal class
+    include profiles::vault::unseal
   }
 }
diff --git a/site/roles/manifests/infra/storage/vault.pp b/site/roles/manifests/infra/storage/vault.pp
index b6afe40..fce67af 100644
--- a/site/roles/manifests/infra/storage/vault.pp
+++ b/site/roles/manifests/infra/storage/vault.pp
@@ -4,5 +4,4 @@ class roles::infra::storage::vault {
   include profiles::base
   include profiles::base::datavol
   include profiles::vault::server
-  include profiles::vault::unseal
 }