feat: vault use vault
- change vault to use vault ephemeral certificates - remove nginx frontend to vault
This commit is contained in:
parent
22af602510
commit
7c0bf4a398
@ -7,11 +7,11 @@ consul::services:
|
||||
- 'https'
|
||||
- 'secure'
|
||||
address: "%{facts.networking.ip}"
|
||||
port: 443
|
||||
port: 8200
|
||||
checks:
|
||||
- id: 'vault_https_check'
|
||||
name: 'Vault HTTPS Check'
|
||||
http: "https://%{facts.networking.fqdn}:443/v1/sys/health"
|
||||
http: "https://%{facts.networking.fqdn}:8200/v1/sys/health"
|
||||
method: 'GET'
|
||||
tls_skip_verify: true
|
||||
interval: '10s'
|
||||
|
||||
@ -18,9 +18,6 @@ class profiles::vault::server (
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||
){
|
||||
|
||||
# use puppet certs as base
|
||||
include profiles::pki::puppetcerts
|
||||
|
||||
# set a datacentre/cluster name
|
||||
$vault_cluster = "${::facts['country']}-${::facts['region']}"
|
||||
|
||||
@ -48,9 +45,9 @@ class profiles::vault::server (
|
||||
$server_urls = $servers_array.map |$fqdn| {
|
||||
{
|
||||
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
||||
leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||
leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||
leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem',
|
||||
leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
leader_client_key_file => '/etc/pki/tls/vault/private.key',
|
||||
leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt',
|
||||
}
|
||||
}
|
||||
|
||||
@ -82,8 +79,8 @@ class profiles::vault::server (
|
||||
address => "${::facts['networking']['ip']}:${client_port}",
|
||||
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
||||
tls_disable => $tls_disable,
|
||||
tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||
tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||
tls_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
tls_key_file => '/etc/pki/tls/vault/private.key',
|
||||
}
|
||||
}
|
||||
]
|
||||
@ -91,6 +88,5 @@ class profiles::vault::server (
|
||||
|
||||
# include classes to manage vault
|
||||
include profiles::vault::unseal
|
||||
include profiles::nginx::simpleproxy
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user