feat: vault use vault
- change vault to use vault ephemeral certificates - remove nginx frontend to vault
This commit is contained in:
@@ -18,9 +18,6 @@ class profiles::vault::server (
|
||||
Stdlib::Absolutepath $bin_dir = '/usr/bin',
|
||||
){
|
||||
|
||||
# use puppet certs as base
|
||||
include profiles::pki::puppetcerts
|
||||
|
||||
# set a datacentre/cluster name
|
||||
$vault_cluster = "${::facts['country']}-${::facts['region']}"
|
||||
|
||||
@@ -48,9 +45,9 @@ class profiles::vault::server (
|
||||
$server_urls = $servers_array.map |$fqdn| {
|
||||
{
|
||||
leader_api_addr => "${http_scheme}://${fqdn}:${client_port}",
|
||||
leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||
leader_client_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||
leader_ca_cert_file => '/etc/pki/tls/puppet/ca.pem',
|
||||
leader_client_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
leader_client_key_file => '/etc/pki/tls/vault/private.key',
|
||||
leader_ca_cert_file => '/etc/pki/tls/certs/ca-bundle.crt',
|
||||
}
|
||||
}
|
||||
|
||||
@@ -82,8 +79,8 @@ class profiles::vault::server (
|
||||
address => "${::facts['networking']['ip']}:${client_port}",
|
||||
cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
|
||||
tls_disable => $tls_disable,
|
||||
tls_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
|
||||
tls_key_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
|
||||
tls_cert_file => '/etc/pki/tls/vault/certificate.crt',
|
||||
tls_key_file => '/etc/pki/tls/vault/private.key',
|
||||
}
|
||||
}
|
||||
]
|
||||
@@ -91,6 +88,5 @@ class profiles::vault::server (
|
||||
|
||||
# include classes to manage vault
|
||||
include profiles::vault::unseal
|
||||
include profiles::nginx::simpleproxy
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user