From 7c0bf4a398354fbaae434c91039a7eb80bf11642 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 26 May 2024 01:06:48 +1000
Subject: [PATCH] feat: vault use vault

- change vault to use vault ephemeral certificates
- remove nginx frontend to vault
---
 .../au/region/syd1/infra/storage/vault.yaml        |  4 ++--
 site/profiles/manifests/vault/server.pp            | 14 +++++---------
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
index d66aeea..fad5da4 100644
--- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml
+++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
@@ -7,11 +7,11 @@ consul::services:
       - 'https'
       - 'secure'
     address: "%{facts.networking.ip}"
-    port: 443
+    port: 8200
     checks:
       - id: 'vault_https_check'
         name: 'Vault HTTPS Check'
-        http: "https://%{facts.networking.fqdn}:443/v1/sys/health"
+        http: "https://%{facts.networking.fqdn}:8200/v1/sys/health"
         method: 'GET'
         tls_skip_verify: true
         interval: '10s'
diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index 6aeaf6a..d07e8ba 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -18,9 +18,6 @@ class profiles::vault::server (
   Stdlib::Absolutepath $bin_dir     = '/usr/bin',
 ){
 
-  # use puppet certs as base
-  include profiles::pki::puppetcerts
-
   # set a datacentre/cluster name
   $vault_cluster = "${::facts['country']}-${::facts['region']}"
 
@@ -48,9 +45,9 @@ class profiles::vault::server (
     $server_urls = $servers_array.map |$fqdn| {
       {
         leader_api_addr         => "${http_scheme}://${fqdn}:${client_port}",
-        leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
-        leader_client_key_file  => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
-        leader_ca_cert_file     => '/etc/pki/tls/puppet/ca.pem',
+        leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
+        leader_client_key_file  => '/etc/pki/tls/vault/private.key',
+        leader_ca_cert_file     => '/etc/pki/tls/certs/ca-bundle.crt',
       }
     }
 
@@ -82,8 +79,8 @@ class profiles::vault::server (
             address         => "${::facts['networking']['ip']}:${client_port}",
             cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
             tls_disable     => $tls_disable,
-            tls_cert_file   => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
-            tls_key_file    => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
+            tls_cert_file   => '/etc/pki/tls/vault/certificate.crt',
+            tls_key_file    => '/etc/pki/tls/vault/private.key',
           }
         }
       ]
@@ -91,6 +88,5 @@ class profiles::vault::server (
 
     # include classes to manage vault
     include profiles::vault::unseal
-    include profiles::nginx::simpleproxy
   }
 }